CVE-2019-19144
📋 TL;DR
This CVE describes an XML External Entity (XXE) injection vulnerability in Quantum DXi6702 backup appliances. Attackers can exploit this via the REST API authentication endpoint to read arbitrary files, potentially including sensitive configuration data. Organizations using Quantum DXi6702 devices with the vulnerable firmware are affected.
💻 Affected Systems
- Quantum DXi6702
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via file disclosure leading to credential theft, configuration extraction, and potential lateral movement within the network.
Likely Case
Unauthorized access to sensitive files containing configuration data, credentials, or system information that could facilitate further attacks.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the REST API endpoint.
🎯 Exploit Status
The advisory includes detailed exploitation steps and proof-of-concept code. XXE vulnerabilities are well-understood and frequently weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact Quantum support for updated firmware
Vendor Advisory: https://www.quantum.com/support
Restart Required: Yes
Instructions:
1. Contact Quantum support for the latest firmware update. 2. Backup device configuration. 3. Apply firmware update following Quantum's documentation. 4. Verify the update was successful and test functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the DXi6702 REST API endpoint to only trusted management networks
Disable XML External Entity Processing
allConfigure the XML parser to disable external entity processing if possible in the device configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the DXi6702 from untrusted networks
- Monitor for unusual access patterns to the /rest/Users endpoint and file read attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or SSH. If version is 2.3.0.3 (11449-53631 Build304), the device is vulnerable.Check Version:
Check via web interface at System > About, or via SSH: cat /etc/versionVerify Fix Applied:
Verify firmware version has been updated to a version later than 2.3.0.3 (11449-53631 Build304) and test that XXE payloads no longer work.📡 Detection & Monitoring
Log Indicators:
- Unusual XML payloads in REST API requests
- Multiple failed authentication attempts via /rest/Users
- File access patterns from the web service process
Network Indicators:
- HTTP POST requests to /rest/Users?action=authenticate containing XML entities
- Outbound connections from the DXi6702 to external servers following XXE exploitation
SIEM Query:
source="dxi6702" AND (uri_path="/rest/Users" AND uri_query="action=authenticate") AND (request_body CONTAINS "<!ENTITY" OR request_body CONTAINS "SYSTEM")