ESA-2014-026: vulnerability explained

On January 3, 2014 I discovered a vulnerability related to Documentum Content Server that I communicated to EMC during the same day.

On April 11, 2014 EMC published the ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability.

One month after that, in this post, I am going to describe publicly more about this vulnerability, in order to share in which situation and why you should apply latest patches released by EMC.

First of all, this is a Documentum Content Server vulnerability: in a repository, a user with limited privilege, can browse more objects than a standard configuration should permit. The issue is related to the restricted folders configuration option for the dm_user instances.

How to exploit the security bug

Create a new standard Documentum user:

user-creation-documentum-yuri-simione

  • user_name equal to HACK,
  • standard privilege set to NONE,
  • default folder /HACK
  • restricted folder /Temp

As reported in the EMC Documentum Content Server Version 7.x Administration and Configuration Guide, the Restrict Folder Access To configuration:

Specifies which folders the user can access. (…).

If no folders or cabinets are specified, the user has access to all folders and cabinets in the repository, depending on the permissions on those cabinets and folders, and depending on folder security.”

In our scenario, the HACK user should access just the objects linked into the /Temp cabinet. Let’s continue to create the environment to prove the vulnerability. With a standard user, create a document in a new folder, for example into the cabinet /SECURITY BUG EXPLOIT. For this document add the BROWSE or more powerful permission to the dm_world alias. I named this document “My personal salary”. I know, I know: for a private document such “My personal salary” I should not add BROWSE permission to dm_world alias but for sure the HACK user should not browse and read my document, because this document is “outside” his restricted folders.

esa-2014-026-documentum-yuri-simione

Does the Restricted Folders option work? Yes, let’s test it. In my system the ID of this document is 09001eab80002990. Login into Documentum Administrator, with the HACK user credentials and execute the DQL query reported below: esa-2014-026-documentum-yuri-simione 3

Zero rows returned: Restricted Folders security option works well!

Again, correctly, the execution of the dump object fails:

API>dump,c,09001eab80002990

Error processing command:DfException:: THREAD: tomcat-http–19; MSG: [DM_SYSOBJECT_E_NOT_IN_RESTRICTED_FOLDERS]error: “The sysobject (’09001eab80002990′) is not in any folder (or subfolder of the folder) specified in the user’s restricted_folder_ids.”; ERRORCODE: 100; NEXT: null

So Restricted Folders configuration works well but in some cases there is a….

Vulnerability

The problem is that HACK user can browse more documents than permitted if he or she uses the not folder keywords.

If the HACK user executes DQL using the not folder(…) statement as reported below, he/she can browse the metadata of the document outside his restricted folders and he/she can browse (or read, write, delete, depending on permission add to the documents for the dm_world alias) more data:

esa-2014-026-documentum-yuri-simione 4

So, if  ”your” repository is  configured to use Restricted Folders option for some special users, you probably should upgrade the Content Server at the earliest opportunity.

Anyway, if the end-user repository is a Global Registry repository, you should upgrade all your content servers! You know that there is a special user configured to work just on some Restricted Folders: the dm_bof_registry user.

bof_registry-documentum-esa-2014-026-yuri-simione

If the end-user repository is a Global Registry repository, upgrade your content servers as soon as you can, because, as you probably know, there are some ways to decrypt the dm_bof_regsitry password stored in the dfc.properties file: with this user credential someone could potentially access to all the documents stored in the repository protected with the dm_world / BROWSE permission. It’s a good practice to use a dedicated repository for the Global Registry and this vulnerability justify one more time why.

Resolution

To solve this issue you should upgrade to one of the versions listed below:

  • EMC Documentum Content Server version 7.1 P02 and later
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P13 and later
  • EMC Documentum Content Server version 6.7 SP1 P26 and later
Posted in Blogroll, ECM, EMC, Frontpage, Next 2U Consulting, Security alert | Tagged , , , | Leave a comment

ESA-2014-045 Documentum D2 Vulnerability

Today EMC released a note related to a vulnerability that affect the Documentum D2 client.

The CVE vulnerability identifier is CVE-2014-2504 (score 8.5). The affected products are

  • EMC Documentum D2 3.1 and patch versions
  • EMC Documentum D2 3.1SP1 and patch versions
  • EMC Documentum D2 4.0 and patch versions
  • EMC Documentum D2 4.1 and patch versions
  • EMC Documentum D2 4.2 and patch versions

In particular EMC Documentum D2 may be vulnerable to an arbitrary Documentum Query Language (DQL) query execution vulnerability because there are methods and a D2FS web service method that may allow an authenticated user to execute arbitrary DQL queries with superuser privileges. For this reason an upgrade to the latest patch is strongly recommended.

The following products contain the resolution to this issue

  • EMC Documentum D2 3.1P20
  • EMC Documentum D2 3.1SP1P02
  • EMC Documentum D2 4.0P10
  • EMC Documentum D2 4.1P13
  • EMC Documentum D2 4.2P01
Posted in EMC, Security alert | Tagged , , | Leave a comment

OpenSSL Heartbleed and Documentum – Update – ESA-2014-037

Today EMC reported on the ESA-2014-037 that the the impact of OpenSSL Heartbleed vulnerability (CVE-2014-0160) on Documentum Content Server is limited to:

  • Fulltext query plugin used by the Content Server to communicate with the xPlore server;
  • CAS plugin, used by the Content Server for CAS based authentication.

The impacted environments are:

  • Documentum Content Server (Linux platform only) 6.7 SP1 (P14-P26), 6.7 SP2 (P01-P12), 7.0 (P03-P13)
  • Documentum Content Server (Windows 64, Linux, Solaris, AIX) 7.1 (base release – P03)

For these environments, EMC  strongly recommends to upgrade to one of the versions listed below at the earliest opportunity.

  • EMC Documentum Content Server version 7.1 P04 and later
  • EMC Documentum Content Server Linux version 7.0 P14 and later
  • EMC Documentum Content Server Linux version 6.7 SP2 P13 and later
  • EMC Documentum Content Server Linux version 6.7 SP1 P27 and later

After upgrade, it is strongly recommended to:

  • Renew certificates
  • Revoke old certificates
  • Change passwords for CAS user accounts

 

Posted in ECM, EMC, Frontpage, Security alert | Tagged , , , | Leave a comment

E’ in edicola Mac magazine 067 – Macworld / iWorld 2014

Nella sezione ULTIMISSIME di Mac magazine 067, in edicola a Maggio 2014, sono pubblicati i primi articoli che ho tratto dalla partecipazione all’evento Macworld/iWorld 2014, a San Francisco dal 27 al 29 Marzo 2014.

macmagazine yuri simione macworld iworld 2014 article Articolo di Yuri Simione – Macworld / iWorld 2014
Posted in Frontpage | Leave a comment

OpenSSL Heartbleed Vulnerability (CVE-2014-0160) does not affect Documentum systems

OpenSSL Heartbleed Vulnerability (CVE-2014-0160) does not affect Documentum systems because simply these don’t use OpenSSL! Some concerns just about the on premise edition of Syncplicty.

Due to a missing bounds check in OpenSSL during the TLS heartbeat extension, up to 64k of memory can be revealed to a connected client or server. This may potentially allow an unauthenticated, remote attacker to gain access to sensitive information such as private keys, login passwords, and encryption keys (Secret Keys). As a result of this disclosure of sensitive information, these Secret Keys can potentially be leveraged to decrypt other sensitive information or conduct so-called man-in-the-middle attacks.References:

  • Original disclosure: http://heartbleed.com/
  • US CERT: http://www.kb.cert.org/vuls/id/720951
  • NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160&cid=2
Non-Impacted Products:

 
Documentum ApplicationXtender Does not use OpenSSL
Documentum Content Application (ACS, BOCS, DMS, UCF) Does not use OpenSSL
Documentum D2 Does not use OpenSSL
Documentum DFS Does not use OpenSSL
Documentum eRoom Does not use OpenSSL
Documentum InfoArchive Does not use OpenSSL
Documentum REST Services Does not use OpenSSL
Documentum xPression Does not use OpenSSL
Syncplicity Enterprise Edition On-Premise All See ESA-2014-030 for details: : https://support.emc.com/kb/185966
Posted in EMC, Frontpage, Security alert | Tagged , , | Leave a comment

ESA-2014-023: EMC Documentum JBOSS Remote Code Execution Vulnerability

Today EMC published two security bulletins. The first one, the ESA-2014-026, is a vulnerability I discovered. The second one is related to a standard Jboss vulnerability. Jboss is used for some Documentum component like Documentum Java Method Server and xPlore.

Below the official bulletin.

ESA-2014-023
CVE-2012-0874
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
EMC Software: All EMC Documentum Content Server versions of 7.0
EMC Software: All EMC Documentum Content Server versions of 6.7 SP2
EMC Software: All EMC Documentum Content Server versions of 6.7 SP1 and earlier
EMC Software: EMC Documentum xPlore versions of 1.2
EMC Software: EMC Documentum xPlore versions of 1.3
EMC Documentum products listed above may be vulnerable to remote code execution vulnerability.
EMC Documentum Content Server and xPlore embed JBoss servlets (JMXInvokerServlet and EJBInvokerServlet). These JBOSS servlets are vulnerable to remote code execution vulnerability. The vulnerability may be exploited to execute remote code with NT AUTHORITY\SYSTEM privileges.Affected JBOSS servlets are not required for either Documentum Content Server or xPlore’s functionality.

See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0874 for more details.

EMC strongly recommends all customers upgrade to one of the versions listed below or apply the workaround for all other affected versions at the earliest opportunity.The following products contain the resolution to this issue:

  • EMC Documentum Content Server version 7.1
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P12
  • EMC Documentum Content Server version 6.7 SP1 P24
  • EMC Documentum xPlore version 1.4
  • EMC Documentum xPlore version 1.2 P25 and later

Workaround for all other affected versions of Documentum Content Server and xPlore:

  1. Stop the “Java Method Server” service.
  1. Open <DOCUMENTUM install dir>\ jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml.

For example:

C:\Documentum\jboss5.1.0\server\DctmServer_MethodServer\deploy\http-invoker.sar\invoker.war\WEB-INF\web.xml

  1. Modify web.xml file to remove definition and mapping for the servlets EJBInvokerServlet and JMXInvokerServlet
  1. Start the “Java Method Server” service.
Registered EMC Online Support customers can download patches and software from support.emc.com at:https://support.emc.com/downloads/2732_Documentum-Server
Posted in Blogroll, ECM, EMC, Frontpage, Security alert, Technologies, Uncategorized | Tagged , | Leave a comment

ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability

This January I discovered a security issue that affects some EMC Documentum Content Server engines. EMC resolved this issue and just today released the security bulletin Esa-2014-26.

This is the second credit I received from EMC after the one published on the ESA-2012-009.

I responsibly never publicly disclosed the exploit of my first discovered issue and I will never do that because this security problem affects many Documentum systems not supported (6.5, 6.0 and 5.3 versions) and we know that some customers are still using these versions, right now: for these versions does not exist a solution or a fix and will not exist in the future (and IMHO this security issue is very dangerous).

I decided to publish the exploit related to the new published security alert: I will do that in few weeks to provide enough time to apply the patch in your production environments. I will explain why a Documentum administrator should update their managed systems.

If you like this information, you can subscribe this blog or you can follow me on twitter or you can add my LinkedIn profile on your network.

Below the official bulletin.

 

ESA-2014-026
CVE-2014-0642
CVSS v2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
EMC Software: All EMC Documentum Content Server versions of 7.1
EMC Software: All EMC Documentum Content Server versions of 7.0
EMC Software: All EMC Documentum Content Server versions of 6.7 SP2
EMC Software: All EMC Documentum Content Server versions of 6.7 SP1
EMC Software: All EMC Documentum Content Server versions prior to 6.7 SP1
EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability.
EMC Documentum Content Server may be vulnerable to an information disclosure vulnerability that may potentially be exploited by malicious users to gain unauthorized access to metadata. This is due to improper authorization checks being performed when trying to access metadata from folders outside of restricted folders configured for Content Server users. This vulnerability is only limited to reading the metadata as the malicious user is not able to gain read/write access to the content itself.
EMC recommends all customers upgrade to one of the versions listed below at the earliest opportunity.

  • EMC Documentum Content Server version 7.1 P02 and later
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P13 and later
  • EMC Documentum Content Server version 6.7 SP1 P26 and later
Registered EMC Online Support customers can download patches and software from support.emc.com at:https://support.emc.com/downloads/2732_Documentum-Server
Credits: EMC would like to thank Yuri Simione (http://twitter.com/artika4biz) for reporting this issue.
Posted in Blogroll, ECM, EMC, Frontpage, Next 2U Consulting, Security alert, Technologies | Tagged , | Leave a comment

The Feeling Skin: The First iPhone Case that bonds Friends Deeper

The Feeling Skin: The First iPhone Case that bonds Friends Deeper

The Feeling Skin is a “smart” case for an iPhone using color pulsations and intensity variations to keep you in tune with the mood of your close friends. It also acts as a full-day smart battery pack for your phone.

San Francisco, April 3, 2014— Twelve Monkeys Company, a smartphone accessories startup, is launching a Kickstarter campaign for the Feeling Skin, the first “smart” and social iPhone5/5S case that alerts you of the mood of your friends. Using its companion app, simply hit “Mood Up” or “Mood Down”, snap a video of the moment you are in and share it with your community. Each time you receive a Mood, your Feeling Skin will light up and pulse to notify you of your friends’ emotions. The Feeling SkinApp is free and compatible with any phone. The Pulse button on the back of the case invites your friends to share their moods.

“The Feeling Skin is an object that allows you to bond deeply with your friends, it senses your friends’ current emotions. The Feeling Skin has empathy”, says Rémy Koné, CEO of Twelve Monkeys Company.

The Feeling Skin is also a smart battery case that can prolong the life of your battery up to 80%. The case automatically detects when the battery is running low, and will automatically charge your iPhone5/5S. You can also do this by manually enabling the Charge function on your app. The Feeling Skin comes with a USB cable making it easy to synchronize and charge your phone. Thanks to a patented technology, the Feeling Skin allows you to both charge and synchronize your iPhone5/5S with the USB cable. This unique, sensual and lightweight case will protect your phone and make you stand out.

About the Feeling Skin Kickstarter Campaign:

  • $1 gets you a beta version of the Feeling Skin App
  • $69 gets you your very own Feeling Skin Case, plus a beta version of the app (49$ for the first 250 backers).

Link to the Kickstarter campaign:

https://www.kickstarter.com/projects/thefeelingskin/the-feeling-skin

About Twelve Monkeys Company:

Founded in 2012 by three childhood friends, Rémy Koné, David Frot, and Adrien Courty, Twelve Monkeys’ mission is to create “smarter” smartphone accessories, through intelligently designed connected objects that harness the power of a smartphone and bring about new forms of interaction.Feeling Skin F Emotion&Techno

Posted in Consumer, Frontpage | Tagged , , , | Leave a comment

What’s New in EMC Documentum xCP 2.1, D2 4.2 and more

 

http://www.youtube.com/watch?v=hdJpPZw_qN0

http://www.youtube.com/watch?v=bwuts2WVJX4

http://www.youtube.com/watch?v=y_YDhcckAX8

http://www.youtube.com/watch?v=D8DWfE0eOV8

http://www.youtube.com/watch?v=UqOdtjSy8Ig

http://www.youtube.com/watch?v=ssphoSl2Z5E

http://www.youtube.com/watch?v=h700EvfgTNs

http://www.youtube.com/watch?v=xXeOTANmYoQ

http://www.youtube.com/watch?v=ultWIYpeWuE

http://www.youtube.com/watch?v=zpA88VhzkJQ

http://www.youtube.com/watch?v=CCOIpnonhGg

 

Posted in Uncategorized | Leave a comment

EMC Documentum xCP 2.1 is arriving

Documentum xCP 2.1 is arriving: EMC published a white paper regarding the Type Adoption feature, discussed during Momentum Developer Conference 2013.

Developers will be soon able to import and use plain old Documentum object types (standard and custom).

docu51365_White-Paper:-Type-Adoption-in-xCP-Applications.pdf  (EMC Support authentication required)

Type Adoption EMC White Paper xCP 2.1 Yuri Simione Documentum Consultant

Posted in ECM, EMC, Events, Frontpage, Technologies | Tagged , , , | Leave a comment