Security Advisory: Improper Restriction of XML External Entity Reference Vulnerability (CVE-2020-6590)
Summary
This security advisory describes the XML External Entity (XXE) vulnerability (CVE-2020-6590) and its potential effect on Forcepoint products.
Information
Published date: April 8, 2021Last update: June 15, 2021
Security Advisory status: Published
Security Advisory severity: High
CVE number(s):
CVE-2020-6590
Security Advisory summary
Forcepoint Web Security versions prior to 8.5.4, Forcepoint DLP versions prior to 8.7.1, and Forcepoint Email Security versions prior to 8.5.4 improperly process XML input, leading to information disclosure.
Forcepoint would like to thank researchers Sagi Cohen and Almog Cygel, as well as Frederic Quenneville, pentester at Videotron, for discovering this issue and participating in a coordinated vulnerability disclosure.
Affected products
- Forcepoint Web Security, prior to v8.5.4
- Forcepoint Email Security, prior to v8.5.4 with DLP enabled
- Forcepoint DLP, prior to v8.7.1
- Forcepoint Email Security without DLP enabled
Security Advisory detailed information
This description is from https://cwe.mitre.org/data/definitions/611.html:
The software processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Resolution
Forcepoint Web Security or Forcepoint Email Security with DLP enabled
Customers must manually edit the extractorlinux.config.xml file that resides on the Forcepoint DLP Manager.
- Access the Forcepoint DLP Manager machine.
- Navigate to %DSS_HOME%\policies_store\policies\config_files\.
- Back up the extractorlinux.config.xml file in a different directory.
- Find and remove the following lines from the extractorlinux.config.xml file:
- Access the DLP Manager via a browser.
- Edit any policy and click Deploy.
- Ensure that the deployment status for all components shows Success after the deployment process is complete.
Forcepoint DLP
Customers must take one of the following actions:
- Upgrade all DLP components to version 8.7.1
NOTE: This step is not valid for customers running Forcepoint Web Security or Forcepoint Email Security. These customers must use the manual edit option below.
- Manually edit the extractor.config.xml and extractorlinux.config.xml files:
- Access the Forcepoint DLP Manager machine.
- Navigate to %DSS_HOME%\policies_store\policies\config_files\.
- Back up the extractor.config.xml and extractorlinux.config.xml files in a different directory.
- Find and remove the following lines from both extractor.config.xml and extractorlinux.config.xml:
- Access the DLP Manager via a browser.
- Edit any policy and click Deploy.
- Ensure that the deployment status for all components shows Success after the deployment process is complete.
Forcepoint Web Security without DLP enabled
Versions 8.4, 8.5.0, and 8.5.3
Customers must take one of the following actions:
- Upgrade to Forcepoint Web Security version 8.5.4.
- Version 8.5.3 only: Install WCG 8.5.3 Hotfix 13.
- Contact Technical Support for a manual workaround.
- Confirm that Data Theft Protection is disabled:
- Sign on to Forcepoint Security Manager.
- In the Outbound Scanning section, deselect the Data Theft Protection checkbox.
- Click OK and Save and Deploy in the top right corner to save the changes.