Well, couple of weeks ago EMC bumped version of D2 and now they claim that this version has some security enhancements and these enhancements are so serious that all customers are recommended to upgrade their installations “at the earliest opportunity”:
Prior to EMC Documentum D2 4.6, many D2 Configuration object types were not properly protected with ACLs. As a result, an authenticated but unprivileged user could then modify or delete such objects.
The following EMC Documentum D2 release contains resolutions to these vulnerabilities:
EMC Documentum D2 4.6
EMC recommends that all customers upgrade to D2 4.6 at the earliest opportunity
Yesterday Yuri Simione published a great post containing his thoughts about this vulnerability, unfortunately thoughts of Yuri Simione are just a half of the truth, and the real situation is much worse than you might expect. But before revealing all the cards let concentrate on EMC’s announce only. There are two main points:
- fix exists only for version 4.6
- severity of vulnerability was estimated as high: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
The first point is really ridiculous because previously ECM claimed following about support policy for D2 4.5:
New D2 4.5 Support Windows:
Primary support extended to the April 30, 2019
Secondary support extended to April 30 of 2022
And as you can see D2 4.5 is not fully supported anymore. Doesn’t it look enticing to announce long support windows but every year forcibly move customers to new version?
The second point looks strange for me because security impact was either overestimated or underestimated. Take a look at EMC’s estimations:
and try to interpret values of CVSS vector:
- AV:N – Attack Vector = Network – OK
- AC:L – Access Complexity = Low – OK
- PR:L – Privileges Required = Low – OK
- UI:N – User Interaction = No – OK
- S:U – Scope = Unchanged – see below
- C:H – Confidentiality Impact = High – see below
- I:H – Integrity Impact = High – OK
- A:H – Availability Impact = High – OK
values of two metrics (Scope and Confidentiality Impact) look extremely doubtful: before D2 4.6 any authenticated user was able to read D2 configs stored in database and in D2 4.6 any authenticated user is able to read D2 configs stored in database, so, I do not see any “Confidentiality Impact” there, and this means that either “Confidentiality Impact” is not properly estimated or EMC tries to hide something. Fortunately, I was the original researcher of the most vulnerabilities in D2 and I do know the truth. Here you can find a list of unresolved vulnerabilities in Documentum product stack, this list was provided by CERT on February 2015, and there you can find following EMC’s comment:
Fixing PSRC-2105 will be a major undertaking and it has been decided by D2 Product Management that it will not be fixed in the next release of D2 (currently versioned as 4.2.1) scheduled GA in 2015 Q2 due to resource constraints. The remediation plan here then is to fix PSRC-2105 in 2015 after the upcoming D2 4.2.1 release.
It appears that the fixed releases communicated for this issue were incorrect. This has not been fixed because the vulnerability described in PSRC-2105 (D2 configuration objects not being protected with ACLs) on which it relies has not been fixed yet. However, fixing the latter will be a major undertaking and it has been decided by D2 Product Management that it will not be fixed in the next release of D2 (currently versioned as 4.2.1) scheduled GA in 2015 Q2 due to resource constraints. The remediation plan here then is to fix PSRC-2105 in 2015 after the upcoming D2 4.2.1 release.
this comment is related to the following blogpost: CVE-2015-0518. Was it really fixed?
So, the real situation is: if D2 is installed any authenticated user is able to gain superuser privileges, i.e. installation of D2 affects Content Server, so according to CVSS guide (“an exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component”) the value of Scope metric is “Changed” and the real CCVS vector is: