CVE-2021-45024
📋 TL;DR
This vulnerability allows attackers to perform XML External Entity (XXE) attacks on ASG-Zena Cross Platform Server Enterprise Edition 4.2.1. Attackers can read arbitrary files from the server, potentially leading to sensitive data exposure or server-side request forgery. Organizations using this specific version of ASG-Zena are affected.
💻 Affected Systems
- ASG-Zena Cross Platform Server Enterprise Edition
📦 What is this software?
Ags Zena by Rocketsoftware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through file disclosure leading to credential theft, followed by lateral movement and data exfiltration.
Likely Case
Sensitive file disclosure including configuration files, credentials, and system information that could enable further attacks.
If Mitigated
Limited impact with proper network segmentation and file system permissions restricting accessible files.
🎯 Exploit Status
XXE vulnerabilities typically have low exploitation complexity and can be exploited without authentication if the vulnerable endpoint is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references, check vendor advisory for latest patched version
Vendor Advisory: https://docs.rocketsoftware.com/bundle/ven1649700711249/page/ayk1652945111726.html
Restart Required: Yes
Instructions:
1. Review vendor advisory for patch details. 2. Download and apply the latest patch from ASG/Rocket Software. 3. Restart ASG-Zena services. 4. Verify the fix by testing XXE payloads.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parser to disable external entity resolution
Configuration varies by XML parser library - consult ASG-Zena documentation for XML parser settings
Input Validation and Sanitization
allImplement strict input validation to reject XML containing external entity declarations
Implement XML schema validation or regex filtering for DOCTYPE declarations
🧯 If You Can't Patch
- Implement network segmentation to restrict access to ASG-Zena servers
- Deploy a web application firewall (WAF) with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Test with XXE payloads: Send XML containing external entity declarations to ASG-Zena endpoints and check for file disclosure or error responses.Check Version:
Check ASG-Zena version through administrative interface or configuration files (specific command varies by installation)Verify Fix Applied:
Retest with the same XXE payloads after patching - successful fix should reject or safely process external entities without data disclosure.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- File access attempts via XML parsing
- Large XML payloads with DOCTYPE declarations
Network Indicators:
- HTTP requests containing XML with external entity references
- Outbound connections initiated by XML parser
SIEM Query:
source="asg-zena" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*XXE*")