EMC Documentum Content Server Multiple Vulnerabilities (ESA-2014-079)

2014-09-11T00:00:00
ID EMC_DOCUMENTUM_CONTENT_SERVER_ESA-2014-079.NASL
Type nessus
Reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-11-25T00:00:00

Description

The remote host is running a version of EMC Documentum Content Server that is affected by multiple vulnerabilities :

  • An error exists in the 'ssl3_read_bytes' function that permits data to be injected into other sessions or allows denial of service attacks. Note that this issue is exploitable only if SSL_MODE_RELEASE_BUFFERS is enabled. (CVE-2010-5298)

  • An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce disclosure via the 'FLUSH+RELOAD' cache side-channel attack. (CVE-2014-0076)

  • A buffer overflow error exists related to invalid DTLS fragment handling that permits the execution of arbitrary code or allows denial of service attacks. Note that this issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)

  • An error exists in the 'do_ssl3_write' function that permits a NULL pointer to be dereferenced, which could allow denial of service attacks. Note that this issue is exploitable only if SSL_MODE_RELEASE_BUFFERS is enabled. (CVE-2014-0198)

  • An error exists related to DTLS handshake handling that could allow denial of service attacks. Note that this issue only affects OpenSSL when used as a DTLS client. (CVE-2014-0221)

  • An error exists in the processing of ChangeCipherSpec messages that allows the usage of weak keying material. This permits simplified man-in-the-middle attacks to be done. (CVE-2014-0224)

  • A remote code execution vulnerability exists due to improper authorization checks. A remote, authenticated attacker can exploit this vulnerability to execute arbitrary code. (CVE-2014-4618)

  • An information disclosure vulnerability exists due to a flaw in the Documentum Query Language (DQL) engine. A remote, authenticated attacker can exploit this vulnerability to conduct DQL injection attacks and read arbitrary data from the database. Note that this only affects Content Server installations running on Oracle Database. (CVE-2014-2520)

  • An error exists in the 'dtls1_get_message_fragment' function related to anonymous ECDH cipher suites. This could allow denial of service attacks. Note that this issue only affects OpenSSL TLS clients. (CVE-2014-3470)

  • An information disclosure vulnerability exists due to improper authorization checks on certain RPC commands. A remote, authenticated attacker can exploit this vulnerability to retrieve meta-data of unauthorized system objects. (CVE-2014-2521)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(77635);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id(
    "CVE-2010-5298",
    "CVE-2014-0076",
    "CVE-2014-0195",
    "CVE-2014-0198",
    "CVE-2014-0221",
    "CVE-2014-0224",
    "CVE-2014-2520",
    "CVE-2014-2521",
    "CVE-2014-3470",
    "CVE-2014-4618"
  );
  script_bugtraq_id(
    66363,
    66801,
    67193,
    67898,
    67899,
    67900,
    67901,
    69273,
    69274,
    69276
  );
  script_xref(name:"CERT", value:"978508");

  script_name(english:"EMC Documentum Content Server Multiple Vulnerabilities (ESA-2014-079)");
  script_summary(english:"Checks for Documentum Content Server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of EMC Documentum Content Server
that is affected by multiple vulnerabilities :

  - An error exists in the 'ssl3_read_bytes' function
    that permits data to be injected into other sessions
    or allows denial of service attacks. Note that this
    issue is exploitable only if SSL_MODE_RELEASE_BUFFERS
    is enabled. (CVE-2010-5298)

  - An error exists related to the implementation of the
    Elliptic Curve Digital Signature Algorithm (ECDSA) that
    could allow nonce disclosure via the 'FLUSH+RELOAD'
    cache side-channel attack. (CVE-2014-0076)

  - A buffer overflow error exists related to invalid DTLS
    fragment handling that permits the execution of
    arbitrary code or allows denial of service attacks.
    Note that this issue only affects OpenSSL when used
    as a DTLS client or server. (CVE-2014-0195)

  - An error exists in the 'do_ssl3_write' function that
    permits a NULL pointer to be dereferenced, which could
    allow denial of service attacks. Note that this issue
    is exploitable only if SSL_MODE_RELEASE_BUFFERS is
    enabled. (CVE-2014-0198)

  - An error exists related to DTLS handshake handling that
    could allow denial of service attacks. Note that this
    issue only affects OpenSSL when used as a DTLS client.
    (CVE-2014-0221)

  - An error exists in the processing of ChangeCipherSpec
    messages that allows the usage of weak keying material.
    This permits simplified man-in-the-middle attacks to be
    done. (CVE-2014-0224)

  - A remote code execution vulnerability exists due to
    improper authorization checks. A remote, authenticated
    attacker can exploit this vulnerability to execute
    arbitrary code. (CVE-2014-4618)

  - An information disclosure vulnerability exists due to a
    flaw in the Documentum Query Language (DQL) engine. A
    remote, authenticated attacker can exploit this
    vulnerability to conduct DQL injection attacks and
    read arbitrary data from the database. Note that this
    only affects Content Server installations running on
    Oracle Database. (CVE-2014-2520)

  - An error exists in the 'dtls1_get_message_fragment'
    function related to anonymous ECDH cipher suites. This
    could allow denial of service attacks. Note that this
    issue only affects OpenSSL TLS clients. (CVE-2014-3470)

  - An information disclosure vulnerability exists due to
    improper authorization checks on certain RPC commands.
    A remote, authenticated attacker can exploit this
    vulnerability to retrieve meta-data of unauthorized
    system objects. (CVE-2014-2521)");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2014/Aug/att-93/ESA-2014-079.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20140605.txt");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4618");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:emc:documentum_content_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("emc_documentum_content_server_installed.nbin");
  script_require_keys("installed_sw/EMC Documentum Content Server");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("emc_documentum.inc");

app_name = DOC_APP_NAME;
get_install_count(app_name:app_name, exit_if_zero:TRUE);
install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);

fixes = make_nested_list(
  make_list("7.1P07"),
  make_list("7.0" + DOC_HOTFIX),
  make_list("6.7SP2P16"),
  make_list("6.7SP1" + DOC_HOTFIX, DOC_NO_MIN)
);

documentum_check_and_report(install:install, fixes:fixes, severity:SECURITY_HOLE);