CVE-2017-15276
published 2017-10-13CVE-2017-15276: OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user…
PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.49%
94.8th percentile
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user to gain superuser privileges: Content Server allows uploading content using batches (TAR archives). When unpacking TAR archives, Content Server fails to verify the contents of an archive, which causes a path traversal vulnerability via symlinks. Because some files on the Content Server filesystem are security-sensitive, this leads to privilege escalation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opentext | documentum_content_server | <= 7.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Documentum dmr_content objects created with page_modifier='dm_batch' or page_modifier='vuln', which are used by the exploit to stage and retrieve malicious TAR content. ↗
- →Alert on Documentum DQL queries for dmr_content WHERE page_modifier='vuln', which is the exploit's marker string used to retrieve exfiltrated file content. ↗
- →Monitor access to dfc.keystore under the DOCUMENTUM_SHARED/config/ path; the exploit downloads this keystore to forge a trusted identity and escalate to the install owner (dmadmin). ↗
- →Detect Documentum sessions authenticating with Identity(trusted=True, keystore=...) — the exploit uses the stolen keystore to create a trusted session as the server install owner without a password. ↗
- →Monitor for TAR archives (GNU_FORMAT) uploaded to Documentum that contain a property.txt file alongside symlink entries — this is the specific TAR structure crafted by the exploit. ↗
- →Detect use of the default Documentum service account 'dm_bof_registry' authenticating to Content Server, as this is the low-privileged account used to initiate the exploit. ↗
- ·The exploit targets Documentum Content Server through version 7.3; the hardcoded paths (e.g., /u01/documentum/cs/product/7.2/...) are environment-specific and may differ across deployments — detection rules based on these paths should be adapted to the actual installation prefix. ↗
- ·The exploit falls back to a TLS connection with cipher suite 'ALL:aNULL:!eNULL' (including null-auth ciphers) when the standard TCP connection is refused; network inspection of Documentum traffic may need to account for this encrypted fallback channel. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-10-13
Published