KYOCERA Net Admin XML External Entity Injection Vulnerability in Multi-Set Template Editor

An XML External Entity (XXE) injection vulnerability has been identified in KYOCERA Net Admin version 3.4.0906, specifically within the Multi-Set Template Editor. This vulnerability allows unauthenticated attackers to read arbitrary system files. Exploitation involves crafting a malicious XML file that includes external entity references, which can be used to retrieve sensitive configuration data, such as database credentials, through an out-of-band channel.

Impact

Exploitation of this vulnerability could lead to unauthorized access and disclosure of sensitive system information, including database credentials, which could be used for further attacks or to compromise the system.

Reproduction

The vulnerability can be reproduced by using the Multi-Set Template Editor to open a 5.x Multi-Set template XML file that has been crafted to include external entity references. The ActiveX DLL 'MultisetTemplateEditorActiveXComponent.dll' does not properly sanitize the input, allowing the XXE injection to occur. Once the malicious XML is processed, the external entities can be used to fetch sensitive files from the system and exfiltrate them via an out-of-band channel.