Full Report
Moxa’s cellular management software OnCell Central Manager Version lower than 2.4.1 was affected to XML External Entity (XXE) due to vulnerable third-party component usage (Apache Flex BlazeDS).
Analysis Summary
# Vulnerability: XXE in Moxa OnCell Central Manager via Apache Flex BlazeDS
## CVE Details
- **CVE ID:** CVE-2015-3269
- **CVSS Score:** 7.5 (High) - *Note: While the provided text lists a base score of 0.0, the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N calculates to 7.5.*
- **CWE:** CWE-611 (Improper Restriction of XML External Entity Reference)
## Affected Systems
- **Products:** Moxa OnCell Central Manager
- **Versions:** All versions lower than 2.4.1
- **Configurations:** Systems utilizing the integrated third-party component Apache Flex BlazeDS for data serialization/messaging.
## Vulnerability Description
OnCell Central Manager is vulnerable to XML External Entity (XXE) processing. The flaw resides in a third-party library, Apache Flex BlazeDS (specifically versions prior to 4.7.1). The AMF (Action Message Format) deserializer in BlazeDS fails to properly restrict or disable external entities when parsing XML documents. An unauthenticated remote attacker can send a specially crafted XML payload to the server, causing the XML parser to access arbitrary files on the local file system or internal network resources.
## Exploitation
- **Status:** PoC Available (Publicly known for the underlying component CVE-2015-3269).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential to read sensitive system files and internal network data).
- **Integrity:** None (The advisory indicates no direct modification of data).
- **Availability:** None (Though XXE can sometimes lead to DoS, the primary impact here is data disclosure).
- **Other:** The advisory mentions potential arbitrary code execution, though typical XXE leads to information disclosure unless coupled with other flaws.
## Remediation
### Patches
- **Upgrade to OnCell Central Manager Version 2.4.1 or higher.**
- The vendor has migrated the internal library to **Apache Flex BlazeDS version 4.7.3**, which contains the necessary security fixes.
### Workarounds
- There are no specific software workarounds provided. Users are advised to contact Moxa Technical Support for the specific security patch if they cannot perform a full version upgrade.
## Detection
- **Indicators of Compromise:** Monitor network traffic for unusual AMF/XML POST requests containing `<!ENTITY` or `SYSTEM` tags directed at the OnCell Central Manager web interface.
- **Detection methods and tools:** Use Web Application Firewalls (WAF) to inspect XML traffic for DTD transformations and external entity declarations. Vulnerability scanners can be used to probe the AMF endpoint for XXE susceptibility.
## References
- **Vendor Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2020/03/16/klcert-20-002-xxe-on-moxas-cellular-management-software-oncell-central-manager-version-lower-than-2-4-1/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2015-3269
- **Moxa Support:** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory