On January 3, 2014 I discovered a vulnerability related to Documentum Content Server that I communicated to EMC during the same day.

On April 11, 2014 EMC published the ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability.

One month after that, in this post, I am going to describe publicly more about this vulnerability, in order to share in which situation and why you should apply latest patches released by EMC.

First of all, this is a Documentum Content Server vulnerability: in a repository, a user with limited privilege, can browse more objects than a standard configuration should permit. The issue is related to the restricted folders configuration option for the dm_user instances.

How to exploit the security bug

Create a new standard Documentum user:

• user_name equal to HACK,
• standard privilege set to NONE,
• default folder /HACK
• restricted folder /Temp

As reported in the EMC Documentum Content Server Version 7.x Administration and Configuration Guide, the Restrict Folder Access To configuration:

“Specifies which folders the user can access. (…).

If no folders or cabinets are specified, the user has access to all folders and cabinets in the repository, depending on the permissions on those cabinets and folders, and depending on folder security.”

In our scenario, the HACK user should access just the objects linked into the /Temp cabinet. Let’s continue to create the environment to prove the vulnerability. With a standard user, create a document in a new folder, for example into the cabinet /SECURITY BUG EXPLOIT. For this document add the BROWSE or more powerful permission to the dm_world alias. I named this document “My personal salary”. I know, I know: for a private document such “My personal salary” I should not add BROWSE permission to dm_world alias but for sure the HACK user should not browse and read my document, because this document is “outside” his restricted folders.

Does the Restricted Folders option work? Yes, let’s test it. In my system the ID of this document is 09001eab80002990. Login into Documentum Administrator, with the HACK user credentials and execute the DQL query reported below: 

Zero rows returned: Restricted Folders security option works well!

Again, correctly, the execution of the dump object fails:

API>dump,c,09001eab80002990

Error processing command:DfException:: THREAD: tomcat-http–19; MSG: [DM_SYSOBJECT_E_NOT_IN_RESTRICTED_FOLDERS]error: “The sysobject (’09001eab80002990′) is not in any folder (or subfolder of the folder) specified in the user’s restricted_folder_ids.”; ERRORCODE: 100; NEXT: null

So Restricted Folders configuration works well but in some cases there is a….

Vulnerability

The problem is that HACK user can browse more documents than permitted if he or she uses the not folder keywords.

If the HACK user executes DQL using the not folder(…) statement as reported below, he/she can browse the metadata of the document outside his restricted folders and he/she can browse (or read, write, delete, depending on permission add to the documents for the dm_world alias) more data:

So, if  ”your” repository is  configured to use Restricted Folders option for some special users, you probably should upgrade the Content Server at the earliest opportunity.

Anyway, if the end-user repository is a Global Registry repository, you should upgrade all your content servers! You know that there is a special user configured to work just on some Restricted Folders: the dm_bof_registry user.

If the end-user repository is a Global Registry repository, upgrade your content servers as soon as you can, because, as you probably know, there are some ways to decrypt the dm_bof_regsitry password stored in the dfc.properties file: with this user credential someone could potentially access to all the documents stored in the repository protected with the dm_world / BROWSE permission. It’s a good practice to use a dedicated repository for the Global Registry and this vulnerability justify one more time why.

Resolution

To solve this issue you should upgrade to one of the versions listed below:

• EMC Documentum Content Server version 7.1 P02 and later
• EMC Documentum Content Server version 7.0 P13 and later
• EMC Documentum Content Server version 6.7 SP2 P13 and later
• EMC Documentum Content Server version 6.7 SP1 P26 and later