CVE-2019-5815
📋 TL;DR
This is a type confusion vulnerability in libxslt's xsltNumberFormatGetMultipleLevel function that could allow heap corruption via specially crafted XML data. Attackers could potentially execute arbitrary code or cause denial of service. Affects applications using vulnerable libxslt versions to process untrusted XML/XSLT content.
💻 Affected Systems
- libxslt
- Applications using libxslt (e.g., web browsers, XML processors, document converters)
📦 What is this software?
Libxslt by Xmlsoft
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Application crash causing denial of service, potentially leading to data corruption in affected systems.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially just crashes in isolated processes.
🎯 Exploit Status
Exploitation requires crafting malicious XML/XSLT content. Public proof-of-concept exists in Chromium bug reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libxslt 1.1.33 and later
Vendor Advisory: https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
Restart Required: Yes
Instructions:
1. Update libxslt to version 1.1.33 or later using your package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade libxslt1.1' (Debian/Ubuntu) or 'sudo yum update libxslt' (RHEL/CentOS). 3. Restart affected applications/services. 4. Recompile applications statically linked to libxslt with updated library.
🔧 Temporary Workarounds
Disable XSLT processing
allPrevent processing of XSLT stylesheets in applications where not required
Application-specific configuration to disable XSLT support
Input validation and sanitization
allValidate and sanitize XML input before processing with libxslt
Implement XML schema validation
Use whitelisting for allowed XML elements
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy web application firewall with XML/XSLT filtering rules
🔍 How to Verify
Check if Vulnerable:
Check libxslt version: 'xsltproc --version' or 'dpkg -l libxslt1.1' (Debian) or 'rpm -q libxslt' (RHEL). If version is earlier than 1.1.33, system is vulnerable.Check Version:
xsltproc --version | head -1Verify Fix Applied:
Confirm libxslt version is 1.1.33 or later using version check commands. Test XML processing functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Memory corruption errors in application logs
- Unusual XML processing patterns
Network Indicators:
- Large or malformed XML payloads to XML processing endpoints
- Unusual traffic to XML/XSLT transformation services
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "heap corruption" OR "libxslt")🔗 References
- https://bugs.chromium.org/p/chromium/issues/detail?id=930663
- https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
- https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
- https://bugs.chromium.org/p/chromium/issues/detail?id=930663
- https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
- https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
