CVE-2020-21994
📋 TL;DR
CVE-2020-21994 is a critical authentication bypass vulnerability in AVE DOMINAplus building automation systems. Unauthenticated attackers can retrieve administrative credentials from an unprotected XML file, allowing complete system compromise. Organizations using AVE DOMINAplus version 1.10.x or earlier are affected.
💻 Affected Systems
- AVE DOMINAplus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative access to building automation controls, potentially enabling physical security breaches, environmental manipulation, or service disruption.
Likely Case
Unauthorized access to building management systems leading to data theft, configuration changes, or denial of service.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.
🎯 Exploit Status
Exploitation requires only HTTP GET request to retrieve credentials from unprotected XML file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 1.10.x
Vendor Advisory: Not publicly available
Restart Required: Yes
Instructions:
1. Contact AVE for updated firmware version >1.10.x
2. Backup current configuration
3. Apply firmware update following vendor instructions
4. Verify the /xml/authClients.xml file is no longer accessible
🔧 Temporary Workarounds
Access Restriction via Web Server
allBlock access to the vulnerable XML file using web server configuration
# Apache: Add to .htaccess or virtual host config
RedirectMatch 403 ^/xml/authClients\.xml$
# Nginx: Add to server block
location ~ ^/xml/authClients\.xml$ { deny all; }
Network Segmentation
linuxIsolate DOMINAplus systems from untrusted networks
# Firewall rule examples
# Block external access to DOMINAplus web interface
iptables -A INPUT -p tcp --dport 80 -s 0.0.0.0/0 -j DROP
# Allow only management network access
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
🧯 If You Can't Patch
- Implement strict network segmentation to isolate DOMINAplus systems from untrusted networks
- Deploy web application firewall (WAF) rules to block access to /xml/authClients.xml
🔍 How to Verify
Check if Vulnerable:
Attempt HTTP GET request to http://[target]/xml/authClients.xml. If XML file with credentials is returned, system is vulnerable.Check Version:
Check web interface login page or contact vendor for version informationVerify Fix Applied:
Attempt same HTTP GET request. Should receive 403/404 error or no credentials in response.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /xml/authClients.xml
- Failed authentication attempts followed by successful logins from new IPs
- Unusual administrative activity patterns
Network Indicators:
- HTTP requests to /xml/authClients.xml from external IPs
- Traffic spikes to DOMINAplus web interface
SIEM Query:
source="web_logs" AND (uri="/xml/authClients.xml" OR status=200 AND uri LIKE "%/xml/authClients.xml%")🔗 References
- https://cwe.mitre.org/data/definitions/522.html
- https://www.exploit-db.com/exploits/47819
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
- https://cwe.mitre.org/data/definitions/522.html
- https://www.exploit-db.com/exploits/47819
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
