CVE-2024-28757
📋 TL;DR
CVE-2024-28757 is an XML Entity Expansion vulnerability in libexpat that allows attackers to cause denial of service through resource exhaustion when external parsers are created via XML_ExternalEntityParserCreate. This affects applications using libexpat versions through 2.6.1 for XML parsing. The vulnerability is particularly relevant for systems processing untrusted XML input.
💻 Affected Systems
- libexpat
- applications using libexpat for XML parsing
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Libexpat by Libexpat Project
Ontap by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through memory exhaustion, potentially crashing the application or system processing XML.
Likely Case
Application instability or crashes when processing malicious XML payloads, leading to service disruption.
If Mitigated
Minimal impact if XML input is validated and controlled, or if external entity parsing is disabled.
🎯 Exploit Status
Proof of concept available in GitHub issues. Exploitation requires sending malicious XML to vulnerable parser.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libexpat 2.6.2 and later
Vendor Advisory: https://github.com/libexpat/libexpat/pull/842
Restart Required: Yes
Instructions:
1. Update libexpat to version 2.6.2 or later. 2. Rebuild applications linked against libexpat. 3. Restart affected services.
🔧 Temporary Workarounds
Disable external entity parsing
allConfigure XML parsers to disable external entity resolution
Set XML_PARSE_NOENT flag to 0 in parser configuration
Limit XML input size
allImplement input validation to restrict XML payload size
🧯 If You Can't Patch
- Implement strict XML input validation and sanitization
- Deploy network controls to filter malicious XML payloads
🔍 How to Verify
Check if Vulnerable:
Check libexpat version: expat --version or check package managerCheck Version:
expat --version 2>/dev/null || dpkg -l | grep libexpat || rpm -qa | grep expatVerify Fix Applied:
Verify libexpat version is 2.6.2 or later📡 Detection & Monitoring
Log Indicators:
- Application crashes during XML parsing
- Memory exhaustion warnings
- XML parsing errors
Network Indicators:
- Large XML payloads with nested entities
- Repeated XML requests causing resource spikes
SIEM Query:
source="application_logs" AND ("XML_ExternalEntityParserCreate" OR "expat" OR "memory exhaustion")🔗 References
- http://www.openwall.com/lists/oss-security/2024/03/15/1
- https://github.com/libexpat/libexpat/issues/839
- https://github.com/libexpat/libexpat/pull/842
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
- https://security.netapp.com/advisory/ntap-20240322-0001/
- http://www.openwall.com/lists/oss-security/2024/03/15/1
- https://github.com/libexpat/libexpat/issues/839
- https://github.com/libexpat/libexpat/pull/842
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
- https://security.netapp.com/advisory/ntap-20240322-0001/
