CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes. Xerox issued a fix for two vulnerabilities impacting its market-leading DocuShare enterprise document management platform. The bugs, if exploited, could expose DocuShare users to an attack resulting in the loss of sensitive data. On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security bulletin urging users and administrators to apply a patch that plugged two security holes in recently released versions (6.6.1, 7.0, and 7.5) of Xerox’s DocuShare. The vulnerability is rated important. Tracked as CVE-2020-27177, Xerox said the vulnerabilities open Solaris, Linux, and Windows DucuShare users up to both a server-side request forgery (SSRF) attack and an unauthenticated external XML entity injection attack (XXE). Xerox issued its security advisory (XRX20W) on November 30.
More information: https://threatpost.com/xerox-docushare-bugs/161791/
Bugs such as this are very concerning, particularly as document signing happens online more and more. This is an example of the importance of an Enterprise Security Programme, where organisations understand their Information Assets and have an up-to-date Asset Management Inventory. By having these, organisations can prioritise applying patches when vulnerabilities and/or bugs like this are announced. The prioritisation of applying patches varies from organisation to organisation, but should fundamentally be based on risk assessment criteria of the services offered by the exposed website, i.e. payments, authentication credentials, and PII data. Security Automation is hugely beneficial to delivering quick responses to reduce risk exposure. Multi-Factor Authentication (MFA) plays a role in reducing the risk of this vulnerability being exploited, exposing critical data. However, that is dependent on the second and third-factor types, i.e. token type and how they have been implemented/configured with the WordPress Site.
Organisations can often protect themselves from the vast majority of cyber-attacks simply by adhering to a basic set of cyber hygiene standards. Chief among these is staying aware of the vulnerabilities that exist, then swiftly updating and patching devices. Xerox has already made available patches to the security flaws in their exposed systems. It is now down to organisations to implement these. Those who delay this will no doubt attract the attention of cybercriminals, who see these businesses as an easy target. Unfortunately, software providers may not always have a ‘hot fix’ available for all software. In this case, the Solaris version of DocuShare 7.5 is not yet available. In these situations, organisations should implement temporary mitigation procedures until a permanent solution is offered.