CVE-2023-1287
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on ENOVIA Live Collaboration servers by exploiting an XSL template injection flaw. It affects organizations using ENOVIA Live Collaboration V6R2013xE. Attackers can potentially take full control of affected systems.
💻 Affected Systems
- ENOVIA Live Collaboration
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, lateral movement within the network, ransomware deployment, and persistent backdoor installation.
Likely Case
Remote code execution allowing attackers to steal sensitive data, disrupt operations, or use the system as a foothold for further attacks.
If Mitigated
Limited impact with proper network segmentation, strict access controls, and monitoring in place.
🎯 Exploit Status
XSL template injection vulnerabilities typically require understanding of the application's XSL processing but can be exploited remotely without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in CVE
Vendor Advisory: https://www.3ds.com/vulnerability/advisories
Restart Required: Yes
Instructions:
1. Check the Dassault Systèmes advisory for specific patch details. 2. Apply the official patch from Dassault Systèmes. 3. Restart the ENOVIA Live Collaboration service. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to ENOVIA Live Collaboration to only trusted IP addresses.
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [ENOVIA_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [ENOVIA_PORT] -j DROP
Application Layer Filtering
allImplement WAF rules to block malicious XSL template injection attempts.
Configure WAF to block requests containing suspicious XSL patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ENOVIA servers from critical systems.
- Deploy intrusion detection systems and monitor for unusual XSL processing activity.
🔍 How to Verify
Check if Vulnerable:
Check ENOVIA Live Collaboration version against V6R2013xE. If running this version, assume vulnerable.Check Version:
Check ENOVIA administration console or configuration files for version information.Verify Fix Applied:
Verify the installed version is updated beyond V6R2013xE as per Dassault Systèmes advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual XSL template processing errors
- Unexpected system command execution in logs
- Abnormal process creation from ENOVIA service
Network Indicators:
- Suspicious HTTP requests containing XSL payloads to ENOVIA endpoints
- Outbound connections from ENOVIA server to unknown external IPs
SIEM Query:
source="ENOVIA" AND (event="XSL processing error" OR process="cmd.exe" OR process="bash")