CVE-2018-20687
📋 TL;DR
This is an XML External Entity (XXE) vulnerability in Raritan CommandCenter Secure Gateway that allows remote unauthenticated attackers to read arbitrary files from the server or conduct Server-Side Request Forgery (SSRF) attacks. The vulnerability affects web services endpoints and can be exploited via crafted XML requests containing malicious DTDs. All systems running vulnerable versions are at risk.
💻 Affected Systems
- Raritan CommandCenter Secure Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via file disclosure of sensitive data (passwords, keys, configuration files) combined with SSRF to attack internal services, potentially leading to lateral movement and full network compromise.
Likely Case
Unauthenticated attackers reading sensitive server files (configuration, credentials) and using SSRF to probe internal networks or attack internal services.
If Mitigated
Limited impact if proper network segmentation and XML parsing hardening are in place, though file disclosure remains possible.
🎯 Exploit Status
Public exploit code available in Packet Storm disclosures. Simple XML injection requiring basic XXE knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0 or later
Vendor Advisory: https://www.raritan.com/support/security-advisories
Restart Required: Yes
Instructions:
1. Download CommandCenter Secure Gateway version 8.0.0 or later from Raritan support portal. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart the CommandCenter service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable XXE Processing
allConfigure XML parser to disable external entity processing and DTD resolution
Modify XML parser configuration to set: feature("http://apache.org/xml/features/disallow-doctype-decl", true);
Set: feature("http://xml.org/sax/features/external-general-entities", false);
Set: feature("http://xml.org/sax/features/external-parameter-entities", false);
Network Access Control
linuxRestrict access to CommandCenterWebServices endpoints using firewall rules
iptables -A INPUT -p tcp --dport [CommandCenterPort] -s [TrustedIPs] -j ACCEPT
iptables -A INPUT -p tcp --dport [CommandCenterPort] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CommandCenter from sensitive systems
- Deploy a web application firewall (WAF) with XXE protection rules to filter malicious XML requests
🔍 How to Verify
Check if Vulnerable:
Test by sending a crafted XXE payload to CommandCenterWebServices endpoints and checking for file disclosure or SSRF behaviorCheck Version:
Check CommandCenter web interface or admin console for version informationVerify Fix Applied:
Verify version is 8.0.0 or later and test that XXE payloads no longer result in file disclosure or SSRF📡 Detection & Monitoring
Log Indicators:
- Unusual XML requests to CommandCenterWebServices endpoints
- Requests containing DOCTYPE declarations or external entity references
- Outbound connections from CommandCenter to internal systems
Network Indicators:
- XML payloads with file:// or http:// entities in requests to CommandCenter ports
- Unexpected outbound connections from CommandCenter server
SIEM Query:
source="CommandCenter" AND (request_uri="*CommandCenterWebServices*" AND request_body="*DOCTYPE*" OR request_body="*ENTITY*" OR request_body="*file://*")