CVE-2018-12463 : Security Advisory and Response
Learn about CVE-2018-12463 affecting Fortify Software Security Center (SSC) versions 17.1, 17.2, and 18.1. Understand the XXE vulnerability enabling SSRF attacks and the mitigation steps.
Fortify Software Security Center (SSC) versions 17.1, 17.2, and 18.1 are affected by an XML external entity (XXE) vulnerability, allowing remote unauthenticated individuals to access arbitrary files or conduct server-side request forgery (SSRF) attacks.
Understanding CVE-2018-12463
This CVE involves a vulnerability in Fortify Software Security Center (SSC) that can be exploited for SSRF attacks.
What is CVE-2018-12463?
The vulnerability in Fortify Software Security Center (SSC) versions 17.1, 17.2, and 18.1, known as XML external entity (XXE), enables remote unauthenticated individuals to access and read arbitrary files or perform SSRF attacks by utilizing a manipulated Document Type Definition (DTD) in an XML request.
The Impact of CVE-2018-12463
The vulnerability has a CVSS v3.0 base score of 7.3, categorizing it as HIGH severity. The attack complexity is LOW, with a NETWORK attack vector. While the confidentiality, integrity, and privileges required impacts are LOW, the availability impact is also LOW.
Technical Details of CVE-2018-12463
Fortify Software Security Center (SSC) is affected by an XXE vulnerability that can lead to SSRF attacks.
Vulnerability Description
The vulnerability allows remote unauthenticated users to read arbitrary files or conduct SSRF attacks through a crafted DTD in an XML request.
Affected Systems and Versions
- Product: Fortify Software Security Center
- Vendor: Micro Focus
- Versions: 17.1, 17.2, 18.1
Exploitation Mechanism
The vulnerability can be exploited by manipulating the Document Type Definition (DTD) in an XML request, enabling unauthorized access to files or SSRF attacks.
Mitigation and Prevention
Steps to address and prevent exploitation of CVE-2018-12463.
Immediate Steps to Take
- Apply vendor-supplied patches or updates promptly.
- Implement network segmentation to restrict access to vulnerable systems.
- Monitor and analyze network traffic for suspicious activities.
Long-Term Security Practices
- Regularly update and patch software to mitigate known vulnerabilities.
- Conduct security assessments and penetration testing to identify and address weaknesses.
- Educate users on safe computing practices and awareness of social engineering tactics.
Patching and Updates
- Micro Focus has released patches to address the vulnerability in affected versions of Fortify Software Security Center.