#VU31830 XML External Entity injection in Libxml2 - CVE-2016-9318

Cybersecurity Help s.r.o.

Published: 2016-11-16 | Updated: 2020-07-24

Vulnerability identifier: #VU31830

Vulnerability risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-9318

CWE-ID: CWE-611

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Libxml2
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Libxml2: 6.0.19

External links
https://www.securityfocus.com/bid/94347
https://bugzilla.gnome.org/show_bug.cgi?id=772726
https://github.com/lsh123/xmlsec/issues/43
https://security.gentoo.org/glsa/201711-01
https://usn.ubuntu.com/3739-1/
https://usn.ubuntu.com/3739-2/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM RackSwitch firmware update for Libxml2

Multiple vulnerabilities in IBM Flex System Chassis Management Module (CMM)

Gentoo update for libxml2

Multiple vulnerabilities in IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems

XML External Entity injection in libxml2 (Alpine package)

XML External Entity injection in Libxml2