Asterisk XXE Vulnerability in XML Parsing Function

A vulnerability allowing XML External Entity (XXE) injection has been identified in Asterisk versions through 23.2.1, 22.8.1, 21.12.0, 20.18.1, and 20.7-cert8. The issue arises in the ast_xml_open() function within xml.c, where XML documents are parsed using libxml with unsafe options that enable entity expansion and XInclude processing. The function invokes xmlReadFile() with the XML_PARSE_NOENT flag, allowing the loading and resolution of external entities, a feature disabled by default in libxml2 versions 2.9 and later due to safety concerns. This vulnerability could be exploited to trigger XXE attacks or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. While Asterisk currently does not permit untrusted or user-supplied XML to be processed in this manner, a fix is recommended to prevent future risks.

Impact

Exploitation of this vulnerability could lead to XML External Entity (XXE) injection, allowing attackers to access and disclose sensitive files from the host system.

Remediation

Users can upgrade to Asterisk versions 23.2.2, 22.8.2, 21.12.1, 20.18.2, or 20.7-cert9 to address this vulnerability.