Quantum DXi6702 XML External Entity Injection Vulnerability

A vulnerability allowing XML External Entity (XXE) injection has been identified in Quantum DXi6702 devices running version 2.3.0.3 (Build 304). This vulnerability arises because the device processes user-supplied XML data in an unsafe manner, enabling an unauthenticated attacker to read arbitrary files from the device with root privileges. The issue can be exploited by sending a crafted XML document during the authentication process via the REST API.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files from the affected device with root privileges, potentially leading to further exploitation or data compromise.

Reproduction

To reproduce this vulnerability, send a POST request to the '/rest/Users?action=authenticate' endpoint with a crafted XML payload that includes an external entity reference. The device will process the XML and, if XXE is enabled, it will connect to a listener (such as one set up with netcat) and disclose the requested file contents. This can be automated with the 'xxeserve' server tool to extract sensitive files like '/etc/shadow', confirming the exploitation.