CVE-2023-24466
📋 TL;DR
CVE-2023-24466 is an XML External Entity (XXE) injection vulnerability in OpenText iManager's GET parameter processing. Attackers can exploit this to read arbitrary files from the server, potentially including sensitive configuration files. This affects OpenText iManager 3.2.6.0200 installations.
💻 Affected Systems
- OpenText iManager
📦 What is this software?
Imanager by Microfocus
Imanager by Microfocus
Imanager by Microfocus
Imanager by Microfocus
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure of sensitive data like passwords, configuration files, or SSH keys, potentially leading to lateral movement within the network.
Likely Case
Unauthorized reading of server files including configuration files, potentially exposing credentials and sensitive system information.
If Mitigated
Limited impact if XML external entity processing is disabled or proper input validation is implemented.
🎯 Exploit Status
XXE vulnerabilities typically have low exploitation complexity and can be exploited via crafted HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Patch 3 for iManager 3.2.6.0200
Vendor Advisory: https://www.netiq.com/documentation/imanager-32/pdfdoc/imanager326_patch3_releasenotes/imanager326_patch3_releasenotes.pdf
Restart Required: Yes
Instructions:
1. Download Patch 3 from OpenText support portal. 2. Backup current installation. 3. Apply patch according to vendor instructions. 4. Restart iManager services.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parser to disable external entity resolution
Configure XML parser settings in application server to set features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true
Web Application Firewall Rules
allBlock XXE patterns in HTTP requests
Add WAF rules to block requests containing DOCTYPE, ENTITY, SYSTEM declarations in GET parameters
🧯 If You Can't Patch
- Implement strict input validation to reject XML content in GET parameters
- Deploy network segmentation to restrict access to iManager from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Test with XXE payload in GET parameter: Send request with crafted XXE payload to iManager endpointCheck Version:
Check iManager version in administration console or via version file in installation directoryVerify Fix Applied:
Attempt same XXE payload after patch application; should receive error or no file disclosure📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests containing XML/DOCTYPE declarations
- File system access to unexpected files via web process
Network Indicators:
- HTTP requests with XML content in query parameters
- Outbound connections from iManager to external entities
SIEM Query:
source="iManager" AND (http_method="GET" AND (http_query CONTAINS "<!DOCTYPE" OR http_query CONTAINS "<!ENTITY" OR http_query CONTAINS "SYSTEM"))