Leading experts from Positive Research, the research division of Positive Technologies, have announced their latest findings at Black Hat Europe, revealing new attack techniques that can be used to compromise the XML frameworks used in some of the most common and critical systems employed by major corporations.
Researchers Alexey Osipov and Timur Yunusov presented several new attack vectors - explaining how hackers can use the “Out of Band” technique (known as XXE OOB or XML OOB) to compromise applications such as ERP, DBMS, browsers, IDE, SCADA and even some security products. They found that processing a specially prepared XML document could give access to local files or consume excessive amounts of CPU or memory, crippling the server.
Some vendors, including Siemens, Invensys and ModSecurity have quickly responded to the threat and have already released patches to address the issue since being notified by the Positive Research team. Linux distributors such as Red Hat and Debian have also addressed the issue.
"The elimination of these vulnerabilities is a direct result of the research on the security of ICS components performed by our research teams,” commented Sergey Gordeychik, Positive Technologies EVP Product Strategy. “It’s impossible to design critical infrastructures safely if insecure components are used in production systems. Our aim is to increase the security level of ICS systems and we will continue to invest in this important area of research.”