CVE-2020-13576
📋 TL;DR
A remote code execution vulnerability exists in the WS-Addressing plugin of Genivia gSOAP 2.8.107. Attackers can exploit this by sending a specially crafted SOAP request over HTTP, potentially gaining full control of affected systems. This affects any application or service using the vulnerable gSOAP library for SOAP web services.
💻 Affected Systems
- Genivia gSOAP
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Gsoap by Genivia
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code with the privileges of the gSOAP process, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Remote code execution leading to service disruption, data exfiltration, or installation of backdoors on vulnerable systems.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though exploitation could still cause service disruption.
🎯 Exploit Status
Exploitation requires sending a crafted SOAP request to a vulnerable endpoint. The Talos report provides technical details that could be used to create exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: gSOAP 2.8.108 or later
Vendor Advisory: https://www.genivia.com/advisory.html
Restart Required: Yes
Instructions:
1. Upgrade gSOAP to version 2.8.108 or later. 2. Recompile any applications using gSOAP with the updated library. 3. Restart affected services. 4. For embedded systems, update the gSOAP library in your codebase and redeploy.
🔧 Temporary Workarounds
Disable WS-Addressing plugin
allIf WS-Addressing functionality is not required, disable the plugin to prevent exploitation.
Recompile gSOAP without WS-Addressing support: ./configure --disable-wsa
Modify application code to not use WS-Addressing features
Network filtering
linuxBlock or filter SOAP requests containing WS-Addressing headers at network boundaries.
iptables rules or WAF rules to block suspicious SOAP requests
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems from untrusted networks.
- Deploy web application firewall (WAF) rules to detect and block malicious SOAP requests targeting WS-Addressing.
🔍 How to Verify
Check if Vulnerable:
Check gSOAP version: soapcpp2 -v 2>&1 | grep version. If output shows 2.8.107, system is vulnerable. Also check if applications link against vulnerable gSOAP library.Check Version:
soapcpp2 -v 2>&1 | grep version || ldd /path/to/application | grep libgsoapVerify Fix Applied:
Verify gSOAP version is 2.8.108 or later: soapcpp2 -v 2>&1 | grep version. Test SOAP services with WS-Addressing requests to ensure they function without crashing.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of gSOAP-based services
- Unusual SOAP request patterns with WS-Addressing headers
- Failed authentication attempts followed by SOAP requests
Network Indicators:
- HTTP POST requests with SOAP envelopes containing malformed WS-Addressing headers
- Unusual traffic to SOAP service ports (typically 80, 443, or custom ports)
SIEM Query:
source="*web.log*" AND ("SOAP" OR "WS-Addressing") AND ("malformed" OR "crash" OR "exception")🔗 References
- https://lists.debian.org/debian-lts-announce/2024/02/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187
- https://lists.debian.org/debian-lts-announce/2024/02/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187
