XML Entity Reference denial of service (XML_EntityRef_DoS)

About this signature or vulnerability

Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Agent for Server, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, RealSecure Desktop Protector 3.6:

This signature detects when a large number of XML entity references, both internal and external, are included as character data for attribute values and non-markup text. Each time entity reference (e.g., "&Name;") is encountered the XML parser must substitute "Name" for its literal definition. Every XML parser must declare five internal entities - lt, gt, amp, apos, quot. If a parsing of DTD is enabled, then additional declarations are possible.

This signature detects when a large number of XML entity references, both internal and external, are included as character data for attribute values and non-markup text. Each time entity reference (e.g., "&Name;") is encountered the XML parser must substitute “Name” for its literal definition. Every XML parser must declare five internal entities – lt, gt, amp, apos, quot. If a parsing of DTD is enabled, then additional declarations are possible.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: XPU 1.47, Proventia Desktop: 8.0.614.5, Proventia Network MFS: XPU 1.47, Proventia Network IDS: XPU 24.8, Proventia-G 1.1 and earlier: XPU 24.8, BlackICE PC Protection: 3.6cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Agent for Server: 3.6eoh, BlackICE Server Protection: 3.6.cpa, RealSecure Network: XPU 24.8, RealSecure Server Sensor: XPU 24.8, RealSecure Desktop: eoh, RealSecure Desktop Protector 3.6: eoh

Systems affected

IBM AIX, WindRiver BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, Novell NetWare, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Cisco IOS, IBM WebSphere Application Server, Microsoft Windows Me, BEA WebLogic Server: 6.0, Compaq Tru64, Microsoft Windows XP, Adobe ColdFusion, Macromedia JRun: 4.0, Apple Mac OS, BEA WebLogic Server: 6.1, BEA WebLogic Server: 7.0, BEA WebLogic Server: 7.0.0.1, BEA WebLogic Server: 6.1 Express, BEA WebLogic Server: 7.0 Express, BEA WebLogic Server: 7.0.0.1 Express, BEA WebLogic Server: 6.0 Express, BEA WebLogic Integration: 7.0, BEA WebLogic Integration: 2.1, Sybase EAServer: 4.1, Sybase EAServer: 4.1.1, Sybase EAServer: 4.1.2, Sybase EAServer: 4.1.3, Microsoft Windows 2003 Server, Apache Xerces XML parser, Adobe ColdFusion: Professional, Adobe ColdFusion: Enterprise, Apache Axis, Expat XML parser Expat XML parser, Sun ONE Web Server

Type

Denial of Service

Vulnerability description

A large number of XML (Extensible Markup Language) entity references, both internal and external, have been detected. Entity references are characters used as a substitute for group of characters. Entities refer to data that the XML parser has to parse.

Each time an entity reference is encountered, for example "Name," the XML parser must substitute "Name" for its literal definition. Every XML parser must declare five internal entities - lt, gt, amp, apos, quot. If the parsing of a Document Type Definition (DTD) was enabled, then additional declarations are possible.

A remote attacker can create a document with a large number of entity references, over hundreds of thousands, to attempt to consume large amounts of CPU and memory, resulting in a denial of service. Web servers that support compressed content encoding and environments where XML and Web services are used for open transaction processing are at a higher risk for a denial of service attack.

How to remove this vulnerability

For IBM WebSphere Application Server:
Apply the PQ81278 update for this vulnerability, as listed in IBM PQ81278 Document. See References. Note: Apply the update installer for 5.0.x prior to applying the PQ81278 update.

This attack is not implementation specific; although some XML parsers allow low level configuration of how parser handles entity references. It's important to define reasonable transaction limitations such as:

References

BugTraq Mailing List, Thu Dec 11 2003 - 11:58:17 CST
Multiple vendor SOAP server (XML parser) denial of service (DTD parameter entities
http://archives.neohapsis.com/archives/bugtraq/2003-12/0183.html

Microsoft Knowledge Base Article - 826231
Software update to prevent the processing of XML messages that contain DTDs for .NET Framework 1.1
http://support.microsoft.com/default.aspx?kbid=826231

IBM PQ81278 Document
PQ81278: Web Services Denial of Service problem with XML Attributes
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278&uid=swg24005943

ISS X-Force
XML Entity Reference denial of service
http://www.iss.net/security_center/static/20495.php