Xerox DocuShare Bugs Allow Data Leaks

CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes.

Xerox issued a fix for two vulnerabilities impacting its market-leading DocuShare enterprise document management platform. The bugs, if exploited, could expose DocuShare users to an attack resulting in the loss of sensitive data.

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security bulletin urging users and administrators to apply a patch that plugged two security holes in recently released versions (6.6.1, 7.0, and 7.5) of Xerox’s DocuShare. The vulnerability is rated important.

Tracked as CVE-2020-27177, Xerox said the vulnerabilities open Solaris, Linux and Windows DucuShare users up to both a server-side request forgery (SSRF) attack and an unauthenticated external XML entity injection attack (XXE). Xerox issued its security advisory (XRX20W) on November 30.
Xerox did not share the specifics of the bugs or possible attack scenarios. In its “Mini Bulletin” it offered links to hotfix links to tarball files addressing bugs in affected versions of Solaris, Linux and Windows DocuShare.

However, a hotfix for the Solaris version of DocuShare 7.5 is not available. Xerox did not return press inquiries ahead of this published news article.

Potential Threat Vectors

A SSRF vulnerability would allow an attacker to abuse functionality on a server hosting the software-as-a-service (SaaS) DocuShare. A successful SSRF attack typically allows an adversary to read or update internal resources.

“The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed,” according to an OWASP Foundation description of a SSRF attack.

An XXE is a type of attack against an application that parses XML input. “This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser,” OWASP describes.

A successful XXE attack would allow a cybercriminal to gain access to confidential data and could also facilitate attacks that include: “denial of service, server side request forgery and port scanning from the perspective of the machine where the parser is located,” according OWASP.

Bug hunter Julien Ahrens (@MrTuxracer) is credited for finding the bug and bringing it to Xerox’s attention.

Xerox DocuShare is an enterprise document management system used by mid-sized and large businesses. The document management system market, worth $41.65 billion in 2019, is a dominated companies such as Xerox, IBM, Oracle and OpenText.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles

oracle solaris zero-day attack

Oracle Solaris Zero-Day Attack Revealed

A threat actor is compromising telecommunications companies and targeted financial and professional consulting industries using an Oracle flaw.