cbcvebase.
CVE-2016-8526
published 2018-08-06

CVE-2016-8526: Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access…

PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.81%
95.0th percentile
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation.

Affected

2 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterprisearuba_airwave
hpairwave< 8.2.3.18.2.3.1

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /visualrf/backup_sites HTTP/1.1
urlPOST /nf/visualrf_siterestore HTTP/1.1
urlPOST /visualrf/verify/ HTTP/1.1
path/visualrf/backup_sites
path/nf/visualrf_siterestore
path/visualrf/verify/
filenamesectest.dtd
filenameversion.xml
filenamebackup_sectest.zip
commandxml=:1234/sectest.dtd">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]>%26%65%78%66%69%6c%3b
port1234
port2121
  • Detect ZIP file uploads to /nf/visualrf_siterestore containing a version.xml with external DTD references — a hallmark of the XXE-via-restore attack vector.
  • Look for outbound FTP connections (port 2121) from the web server process, which may indicate active XXE data exfiltration using the FTP out-of-band channel technique.
  • Look for outbound HTTP connections from the web server to attacker-controlled hosts on port 1234, used to serve malicious DTD files during XXE exploitation.
  • The multipart form-data boundary '------WebKitFormBoundaryjPK7DdVbiNVDEJ2A' is present in the documented exploit POST to /nf/visualrf_siterestore and can be used as a specific signature for this PoC.
  • ·The XXE vulnerability affects Aruba AirWave versions up to but not including 8.2.3.1. The fix is to update to 8.2.3.1 or later; no workaround is available.
  • ·The attack requires an unprivileged user to be able to control the contents of XML files submitted to the affected endpoints; the XML parser runs with web server permissions and can read any file accessible to it.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.