Privilege Elevation and Logging Bypass Vulnerabilities in OpenText Content Manager
Published by Evan Pearce, Security Testing and Assurance on 28 November 2024
In late 2023, as part of a customer engagement, CyberCX identified two significant vulnerabilities in the OpenText Content Manager product. These vulnerabilities allowed low-privilege users to perform unauthorised actions in the system and to prevent actions from being recorded in audit logs.
CyberCX promptly alerted OpenText and these vulnerabilities have now been patched.
Content Manager is an electronic document and records management system (EDRMS) used by government agencies, regulated industries, and large organisations to manage physical and electronic records. The vulnerabilities affected the desktop.
What we found
Our testing identified that some authorisation and logging controls were implemented only within the Content Manager desktop client and not enforced by the server. Using software instrumentation tools on a client system, it was possible to manipulate the local application flow to bypass these checks and perform unauthorised actions on the server or avoid sending audit events for actions performed.
Attacks required valid user authentication, but no specific privileges.
Given the criticality of EDRMS systems and potential delays in upgrading, we are withholding the full technical details of the vulnerabilities.
Impact
Successful exploitation of these vulnerabilities could allow an adversary to perform unauthorised actions within Content Manager, including changing access policies, deleting document revisions and deleting entire records. Logging of actions could also be suppressed.
The vulnerabilities could be exploited together, allowing a threat actor to elevate their privileges while excluding those activities from audit logs.
In organisations that use an EDRMS, the system is typically a source of truth for the documents and records it manages. Unauthorised and unlogged changes or deletions could result in significant business impacts.
Affected versions
CyberCX identified these vulnerabilities in a Content Manager 10.0 environment. OpenText confirmed applicability to all then-supported versions, including 10.0, 10.1, 23.3 and 23.4. Previous versions are likely to also be affected.
Patches for the privilege elevation vulnerability (CVE-2024-1973) were released for versions 10.0, 10.1, 23.3 and 23.4. This vulnerability was also addressed in the initial release of Content Manager 24.2.
Patches for the logging bypass vulnerability (CVE-2024-10863) were released for versions 10.1, 23.4, 24.2 and 24.3. Versions 10.0 and 23.3 were affected but no longer considered current. This vulnerability was also addressed in the initial release of Content Manager 24.4.
Organisations using Content Manager should ensure the server is running a patch released on 29 October 2024 or later.
CVE Details
CVE ID: CVE-2024-1973
Credit: Evan Pearce, CyberCX
CVSS v3.1 Base: 8.5
CVSS v3.1 Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2024-10863
Credit: Evan Pearce, CyberCX
CVSS v4.0 Base: 5.1
CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Timeline
6 December 2023 – Vulnerability details provided to OpenText by CyberCX.
13 December 2023 – Vulnerabilities confirmed by OpenText.
25 March 2024 – Public disclosure of privilege elevation vulnerability (CVE-2024-1973) and patches.
18 November 2024 – Public disclosure of logging bypass vulnerability (CVE-2024-10863) and patches.
CyberCX would like to thank OpenText for their cooperation in addressing these vulnerabilities.
As part of our mission to secure our communities, CyberCX’s Security Testing and Assurance (STA) team regularly examines popular products available in Australia for vulnerabilities and potential exploits. Where these are discovered we raise Common Vulnerabilities and Exposures (CVE) and work with the vendor to patch these as soon as possible.
