EMC Documentum Content Server Multiple Vulnerabilities (ESA-2015-131)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote host is affected by multiple vulnerabilities.

Description :

The version of EMC Documentum Content Server running on the remote
host is affected by multiple vulnerabilities :

- A privilege escalation vulnerability exists due to
improper authorization checks performed on subgroups
within the dm_superusers group. An authenticated, remote
attacker can exploit this to gain super-user privileges,
thus allowing access to data or unauthorized actions on
the Content Server. Note that the previous fix for this
issue (CVE-2014-4622) was incomplete. (CVE-2015-4531)

- A privilege escalation vulnerability exists due to
improper authorization and object type checks performed
during the handling of RPC commands that involve the
dm_bp_transition method. An authenticated, remote
attacker can exploit this, by using a crafted script,
to gain elevated privileges, thus allowing unauthorized
actions, such as the execution of arbitrary code. Note
that the previous fix for this issue (CVE-2014-2514) was
incomplete. (CVE-2015-4532)

- A privilege escalation vulnerability exists due to
improper authorization checks during the handling of
custom scripts. An authenticated, remote attacker can
exploit this to gain elevated privileges, thus allowing
unauthorized actions on the Content Server. Note that
the previous fix for this issue (CVE-2014-2513) was
incomplete. (CVE-2015-4533)

- A remote code execution vulnerability exists due to the
Java Method Server (JMS) not properly validating digital
signatures for query strings without the 'method_verb'
parameter. An authenticated, remote attacker can exploit
this, via a crafted digital signature for a query
string, to execute arbitrary code in the JMS context,
depending on what Java classes are present in the
classloader. (CVE-2015-4534)

- An information disclosure vulnerability exists due to
a flaw in the Java Method Server (JMS) in how login
tickets are logged in certain instances when the
__debug_trace__ parameter is enabled. An authenticated,
remote attacker with access to the logs can exploit this
to gain access to super-user tickets. (CVE-2015-4535)

See also :

http://seclists.org/bugtraq/2015/Aug/att-86/ESA-2015-131.txt

Solution :

Apply the relevant patch referenced in the vendor advisory.

Risk factor :

High / CVSS Base Score : 8.2
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:P)
CVSS Temporal Score : 6.1
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 85544 ()

Bugtraq ID: 76409
76410
76411
76413
76414

CVE ID: CVE-2015-4531
CVE-2015-4532
CVE-2015-4533
CVE-2015-4534
CVE-2015-4535

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now