CVE-2021-46143
📋 TL;DR
CVE-2021-46143 is an integer overflow vulnerability in Expat's XML parser that can lead to heap memory corruption. Attackers can exploit this by providing specially crafted XML input, potentially causing denial of service or arbitrary code execution. Any application using vulnerable versions of libexpat (Expat library) is affected.
💻 Affected Systems
- Expat (libexpat)
- Applications using libexpat library
- Embedded systems with XML parsing
📦 What is this software?
Hci Baseboard Management Controller by Netapp
View all CVEs affecting Hci Baseboard Management Controller →
Hci Baseboard Management Controller by Netapp
View all CVEs affecting Hci Baseboard Management Controller →
Hci Baseboard Management Controller by Netapp
View all CVEs affecting Hci Baseboard Management Controller →
Libexpat by Libexpat Project
Nessus by Tenable
Nessus by Tenable
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service through application crashes or memory corruption, potentially leading to service disruption.
If Mitigated
Limited impact with proper input validation and memory protections; crashes contained within affected process.
🎯 Exploit Status
Proof-of-concept code exists in public repositories. Exploitation requires sending malicious XML to vulnerable parser.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.3 and later
Vendor Advisory: https://github.com/libexpat/libexpat/releases/tag/R_2_4_3
Restart Required: Yes
Instructions:
1. Update libexpat to version 2.4.3 or later. 2. Recompile applications against updated library. 3. Restart affected services. 4. Test XML parsing functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation to reject malformed XML before reaching libexpat parser
Memory Protection
linuxEnable ASLR and other memory protection mechanisms to reduce exploit reliability
sysctl -w kernel.randomize_va_space=2
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy web application firewall with XML parsing protection rules
🔍 How to Verify
Check if Vulnerable:
Check libexpat version: 'strings /path/to/libexpat.so | grep -i expat' or 'ldd /path/to/application | grep expat'Check Version:
expat --version 2>/dev/null || strings $(ldd $(which your_app) | grep expat | awk '{print $3}') 2>/dev/null | grep -i 'expat'Verify Fix Applied:
Verify libexpat version is 2.4.3 or higher: 'pkg-config --modversion expat' or check package manager📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Memory corruption errors in system logs
- Unusual XML parsing errors
Network Indicators:
- Unusually large XML payloads
- XML with malformed structure patterns
- Repeated XML parsing attempts
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "memory corruption" OR "xml parse error")🔗 References
- http://www.openwall.com/lists/oss-security/2022/01/17/3
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://github.com/libexpat/libexpat/issues/532
- https://github.com/libexpat/libexpat/pull/538
- https://security.gentoo.org/glsa/202209-24
- https://security.netapp.com/advisory/ntap-20220121-0006/
- https://www.debian.org/security/2022/dsa-5073
- https://www.tenable.com/security/tns-2022-05
- http://www.openwall.com/lists/oss-security/2022/01/17/3
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://github.com/libexpat/libexpat/issues/532
- https://github.com/libexpat/libexpat/pull/538
- https://security.gentoo.org/glsa/202209-24
- https://security.netapp.com/advisory/ntap-20220121-0006/
- https://www.debian.org/security/2022/dsa-5073
- https://www.tenable.com/security/tns-2022-05
