Carl Hurd of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple vulnerabilities in AT&T Labs’ Xmill utility. An attacker could take advantage of these issues to carry out a variety of malicious actions, including corrupting the application’s memory and gaining the ability to execute remote code.

Xmill and Xdemill are utilities that are purpose-built for XML compression and decompression, respectively. These utilities claim to be roughly two times more efficient at compressing XML than other compression methods. As of publishing, AT&T Labs is no longer supporting this software and, therefore, will not be issuing any patches. The software, released in 1999, can still be found in modern software suites, such as Schneider Electric's EcoStruxure Control Expert. Schneider is working to fix issues directly impacting Schneider Electric’s EcoStruxure Control Expert.

TALOS-2021-1278 (CVE-2021-21810) and TALOS-2021-1279 (CVE-2021-21811) are memory corruption vulnerabilities in the utility. An adversary could exploit these vulnerabilities by tricking the user into opening a specially crafted XML file.

Xmill also contains four heap-based buffer overflow vulnerabilities: TALOS-2021-1290 (CVE-2021-21825), TALOS-2021-1291 (CVE-2021-21826 - CVE-2021-21828), TALOS-2021-1292 (CVE-2021-21829) and TALOS-2021-1293 (CVE-2021-21830). These could all be exploited by an adversary to gain the ability to execute code on the victim machine.

Another vulnerability, TALOS-2021-1280 (CVE-2021-21812 - CVE-2021-21815), could also lead to remote code execution. However, in this case, an attacker could only exploit this vulnerability by first executing a specially crafted command-line argument on the victim machine.

Only a subset of these Xmill vulnerabilities directly affects Schenider’s Control Expert software: TALOS-2021-1290, TALOS-2021-1291, TALOS-2021-1292 and TALOS-2021-1293, which all directly affect Control Expert and are based around XML decompression within the software.

Cisco Talos worked with AT&T and Schneider to disclose these vulnerabilities in adherence to Cisco’s vulnerability disclosure policy.

Talos tested and confirmed these vulnerabilities affect AT&T Labs Xmill, version 0.7. However, there is no update available, as AT&T is no longer supporting this product.

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 57503 - 57508. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.