CVE-2023-43067

Vulnerability

Dell Unity, Unity VSA, and Unity XT versions prior to 5.3 contain an XML External Entity (XXE) injection vulnerability [1]. The vulnerability exists in the handling of XML data, allowing an attacker to inject an external entity reference that is processed by the XML parser. This can occur when the application processes a crafted XML input without proper validation or restriction of external entities.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted XML payload to the affected Dell Unity endpoint [1]. The attack requires no authentication or special privileges, as the vulnerability can be triggered from a network-accessible XML parser. The attacker does not need a valid session; the vulnerability can be exploited remotely over the network by delivering a malicious XML document to the vulnerable service.

Impact

Successful exploitation allows an attacker to read arbitrary local files from the server's file system [1]. This leads to information disclosure of sensitive data such as configuration files, credentials, or other system documents. The confidentiality of the system is compromised, while integrity and availability are not directly affected.

Mitigation

Dell has released a security update to address this vulnerability. The fix is included in Dell Unity version 5.3 and later [1]. Users should upgrade to Dell Unity version 5.3 or apply the relevant patch as described in DSA-2023-141. No known workarounds are documented, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.