Security Advisory: XML External Entity (XXE) Vulnerability

SUMMARY

This advisory describes the XML External Entity (XXE) Vulnerability (CVE-2022-1700) and its potential effect on Forcepoint products.

INFORMATION

Published Date: May 12, 2022

Last Update:August 17, 2022
Security Advisory Status:  Final Update
Security Advisory severity: High
CVE Number(s): CVE-2022-1700

Customers and Partners should log into the Forcepoint Customer Hub and view XML External Entity (XXE) Vulnerability.

Security Advisory Summary

CVE-2022-1700 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Forcepoint DLP is vulnerable to an XML External Entity (XXE) Injection attack.

The XML parser was found to be improperly configured to support external entities and external DTD (Document Type Definitions) which can lead to an XXE attack.

Special thanks to Kaushik Joshi and Keval Shah from iAppSecure Solutions Pvt Ltd. for finding and reporting this issue.

Affected products

• Forcepoint Data Loss Prevention (DLP) version 8.8.1 and prior.
  • Fixed in version 8.8.2 and above.
• Forcepoint One Endpoint (F1E) with Policy Engine Version 8.8.1 and prior
  • Fixed in version 8.8.2 and above.
• Web Security Content Gateway in version 8.5.4 and prior
  • Fixed in version 8.8.5.
  • 8.5.4 Hotfix: Proxy-8.5.4-007
    • The installation of Proxy Hotfix 07 has a dependency on Proxy Hotfix 03. Hotfix 03 or a later hotfix that includes the Hotfix 03 fixes must be installed before installing this hotfix.
    • Requires DLP mitigation if using DLP 8.7.1-8.8.1 see steps under Workarounds below.
  • 8.5.3 Hotfix: Proxy-8.5.3-013
    • Policy Engine Hotfix13 is not included in Proxy hotfix rollups, it needs to be applied independently.
    • Requires DLP mitigation if using DLP 8.7.1-8.8.1 see steps under Workarounds below.
• Email Security Gateway Appliance with DLP Enabled in version 8.5.4 and prior.
  • Fixed in version 8.5.5
  • Requires DLP mitigation if using DLP 8.7.1-8.8.1 see steps under Workarounds below.
  • If DLP is not enabled in an Email Security deployment, Email Security is not vulnerable.
• Cloud Security Gateway
  • Fix applied to Cloud on June 10, 2022.

Resolution

This is fully fixed by upgrading to the versions listed above.

Workarounds

While upgrading the software is the best practice to include fixes for other vulnerabilities and product issues, for this particular vulnerability, if mitigation has been completed, no additional upgrades are required.

Note: Non upgrade mitigation information is listed below. Customers and Partners should log into the Customer Hub to view this article.

For DLP enabled deployments 8.7.1-8.8.1 (including Web and/or Email integrations):

Note: These configuration mitigation steps does not limit, restrict, degrade, or impact the security posture of any scanning functionality. It replaces the XML parser with one that is not vulnerable.

1. Take backup of files extractorlinux.config.xml and extractor.config.xml under Data security installation directory on the Forcepoint Security Manager box.
   • By default, this is located at, C:\Program Files (x86)\Websense\Data Security\policies_store\policies\config_files\
2. Locate and remove following snippet from both extractorlinux.config.xmland extractor.config.xml

   				
   				<fileType id="291">
   					<!-- XML_FMT -->
   					<textExtractors>
   					</textExtractors>
   					<binaryExtractors>
   						<name>XML</name>
   					</binaryExtractors>
   					<metadataExtractors/>
   				</fileType>
   				
   			

3. In the Forcepoint Security Manager, edit any DLP policy, then click Deploy.
4. Ensure that the deployment status for all components shows Success after the deployment process is complete.
5. Ensure that all endpoints pull the new policy. (restarting client machines or clicking the update button inside DLP endpoint triggers a F1E policy updates).