← Advisories

KYOCERA Multi-Set Template Editor 3.4 Out-Of-Band XML External Entity Injection

High

Advisory ID

ZSL-2018-5459

Release Date

07 April 2018

Vendor

KYOCERA Corporation - https://global.kyocera.com

Affected Version

3.4.0906

CVE

CVE-2019-25253

Tested On

Microsoft Windows 7 Professional SP1 (EN), Apache Tomcat/8.5.15

Summary

KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be accomplished in a single, fast and modern environment.

Description

KYOCERA Multi-Set Template Editor (part of Net Admin) suffers from an unauthenticated XML External Entity (XXE) injection vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data from the affected node via out-of-band (OOB) channel attack. The vulnerability is triggered when input passed to the Multi-Set Template Editor (kmmted.exe) called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll is not sanitized while parsing a 5.x Multi-Set template XML file.

Proof of Concept

kyocera_xxe.txtTXT

Disclosure Timeline

28.03.2018Vulnerability discovered.

28.03.2018Vendor contacted.

06.04.2018No response from the vendor.

07.04.2018Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/44430/

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/141385

[3]https://cxsecurity.com/issue/WLB-2018040069

[4]https://packetstormsecurity.com/files/147104

[5]https://www.cve.org/CVERecord?id=CVE-2019-25253

Changelog

07.04.2018Initial release

16.04.2018Added reference [1], [2], [3] and [4]

23.03.2026Added reference [5]