CVE-2024-35532
📋 TL;DR
An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea allows attackers to read arbitrary files, make server-side request forgery (SSRF) attacks, or cause denial of service. This affects Intersec Geosafe-ea versions 2022.12, 2022.13, and 2022.14. Organizations using these vulnerable versions are at risk.
💻 Affected Systems
- Intersec Geosafe-ea
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files (including configuration files, credentials), execute SSRF attacks against internal systems, or crash the service causing complete denial of service.
Likely Case
Attackers would most likely read sensitive configuration files or perform SSRF attacks to probe internal networks, potentially leading to further compromise.
If Mitigated
With proper network segmentation and input validation controls, impact would be limited to denial of service or limited file access within the application's context.
🎯 Exploit Status
XXE vulnerabilities typically have low exploitation complexity once the attack vector is identified. The advisory mentions 'unspecified vectors' suggesting multiple potential entry points.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://intersec.com/public-safety
Restart Required: No
Instructions:
Check Intersec's public safety page for updates. Consider upgrading to a version beyond 2022.14 if available.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parsers to disable external entity resolution
Configuration depends on specific XML parser implementation. For common parsers: Set XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES to false (Java) or xml_parser_set_option(XML_OPTION_LOADDTD, false) (PHP).
Input Validation and Sanitization
allImplement strict input validation for XML data
Implement XML schema validation or whitelist allowed XML elements. Use regular expressions to filter or reject XML containing DOCTYPE declarations.
🧯 If You Can't Patch
- Implement network segmentation to isolate Geosafe-ea instances from sensitive internal systems
- Deploy web application firewall (WAF) rules to block XML containing external entity declarations
🔍 How to Verify
Check if Vulnerable:
Check if running Intersec Geosafe-ea version 2022.12, 2022.13, or 2022.14. Test XML endpoints with XXE payloads (e.g., <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><test>&xxe;</test>).Check Version:
Check Intersec Geosafe-ea administration interface or configuration files for version information.Verify Fix Applied:
Verify version is updated beyond 2022.14. Retest with XXE payloads to confirm they are rejected or processed safely.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Multiple failed XML parsing attempts
- Requests containing DOCTYPE declarations or external entity references
Network Indicators:
- Outbound connections from Geosafe-ea to unexpected internal systems (SSRF)
- Large XML payloads causing service disruption
SIEM Query:
source="geosafe-ea" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*XML*error*")