CVE-2017-10670
📋 TL;DR
This XML External Entity (XXE) vulnerability in OSCI-Transport allows attackers to read arbitrary files, perform server-side request forgery (SSRF), or potentially execute code by sending specially crafted OSCI messages. It affects systems using OSCI Transport Library 1.6.1 (Java) or 1.6 (.NET) for German e-government communication. Organizations using OSCI infrastructure for document exchange are vulnerable.
💻 Affected Systems
- OSCI Transport Library (Java)
- OSCI Transport Library (.NET)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through remote code execution, sensitive data exfiltration including system files and credentials, and lateral movement within the infrastructure.
Likely Case
Unauthorized reading of sensitive files on the server, including configuration files, credentials, and application data, potentially leading to data breaches.
If Mitigated
Limited impact with proper XML parsing configuration that disables external entity processing, restricting attackers to denial of service or minimal information disclosure.
🎯 Exploit Status
Exploitation requires ability to send OSCI messages within the infrastructure. Public disclosure includes technical details but not full weaponized exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Java: 1.6.2, .NET: 1.6.1
Vendor Advisory: http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabilities.html
Restart Required: Yes
Instructions:
1. Download updated OSCI Transport Library from official sources. 2. Replace vulnerable library files. 3. Restart affected services. 4. Verify XML parser configuration disables external entities.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parser to disable external entity resolution
For Java: Set FEATURE_SECURE_PROCESSING = true, disallow-doctype-decl = true
For .NET: Set XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit, XmlReaderSettings.XmlResolver = null
Input Validation Filter
allFilter or block XML messages containing DOCTYPE declarations
Implement pre-processing filter that rejects XML with <!DOCTYPE> declarations
🧯 If You Can't Patch
- Implement network segmentation to isolate OSCI message processing systems
- Deploy web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check library version in application dependencies: Java - check for osci-transport-1.6.1.jar, .NET - check for OSCI.Transport.dll version 1.6.0.0Check Version:
Java: java -cp osci-transport.jar de.osci.osci.OsciMessage --version (if available) or check manifest. .NET: Check assembly version in properties.Verify Fix Applied:
Verify updated library versions: Java 1.6.2, .NET 1.6.1. Test with XXE payload that should be rejected.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors mentioning external entities
- Unexpected file read operations from XML processor
- Network connections to internal resources initiated by XML parser
Network Indicators:
- Unusual OSCI message patterns with DOCTYPE declarations
- XML messages containing SYSTEM or PUBLIC identifiers
- Requests to internal file:// URLs from XML processing systems
SIEM Query:
source="*osci*" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*SYSTEM*")