CVE-2019-14678 – SAS XML Mapper 9.45 has an XML External Entity ... (How to Fix)

Q: What is the severity of CVE-2019-14678?

CVE-2019-14678 has a CVSS score of 10.0 (CRITICAL). SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read local files, exfiltrate data, perform server-side request forgery, or cause denial of service. This affects SAS XML Mapper and the XMLV2 LIBNAME engine when using the AUTOMAP option. Organizations using these SAS components are at risk.

📋 TL;DR

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read local files, exfiltrate data, perform server-side request forgery, or cause denial of service. This affects SAS XML Mapper and the XMLV2 LIBNAME engine when using the AUTOMAP option. Organizations using these SAS components are at risk.

💻 Affected Systems

Products:

SAS XML Mapper
SAS XMLV2 LIBNAME engine

Versions: 9.45

Operating Systems: All platforms running SAS

Default Config Vulnerable: ⚠️ Yes

Notes: XMLV2 LIBNAME engine only vulnerable when AUTOMAP option is used.

📦 What is this software?

Base Sas by Sas

View all CVEs affecting Base Sas →

Xml Mapper by Sas

View all CVEs affecting Xml Mapper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via file reading leading to credential theft, data exfiltration, SSRF attacks on internal systems, and denial of service.

🟠

Likely Case

Local file reading and data exfiltration from vulnerable servers, potentially exposing sensitive configuration files or data.

🟢

If Mitigated

Limited impact if proper network segmentation and input validation are in place, but still vulnerable to local file reading.

🌐 Internet-Facing: HIGH - If exposed to untrusted XML input, attackers can exploit remotely without authentication.

🏢 Internal Only: HIGH - Even internal systems processing XML from untrusted sources are vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with readily available exploit techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply hotfix from SAS support

Vendor Advisory: http://support.sas.com/kb/64/719.html

Restart Required: Yes

Instructions:

1. Contact SAS support for hotfix. 2. Apply the provided patch. 3. Restart affected SAS services. 4. Verify XML parsing now rejects external entities.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure XML parser to disable external entity resolution

Modify SAS configuration to set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Avoid AUTOMAP option

all

Do not use AUTOMAP option with XMLV2 LIBNAME engine

Use explicit XML mapping instead of AUTOMAP option in SAS code

🧯 If You Can't Patch

Implement strict input validation to reject XML containing DOCTYPE declarations
Network segmentation to isolate SAS systems from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Test with XXE payload: <?xml version="1.0"?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "file:///etc/passwd"> %xxe;]>

Check Version:

Check SAS version using SAS system options or proc product_status

Verify Fix Applied:

Attempt same XXE test after patch - should reject or sanitize external entities

📡 Detection & Monitoring

Log Indicators:

XML parsing errors containing file paths or external entity references
Unusual outbound connections from SAS processes

Network Indicators:

HTTP requests to internal systems from SAS servers
Large XML payloads with DOCTYPE declarations

SIEM Query:

source="sas_logs" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2019-14678

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-611

Published: November 14, 2019

Last Updated: November 21, 2024

🔗 References

http://support.sas.com/kb/64/719.html Vendor Advisory
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper Exploit,Third Party Advisory
http://support.sas.com/kb/64/719.html Vendor Advisory
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-14678-Unsafe%20XML%20Parsing-SAS%20XML%20Mapper Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-14678, you might also want to check these: