eDOCS DM Auto Logon Security Issue - FAQ for DM administrators

Foreword:  Earlier today OpenText released a hotfix for this issue. The security hotfix is not available to me and I cannot test it. I hope it works well. Below is my version of FAQ on the Auto Logon Security issue.

Q. Which DM versions are affected by issue DM-32057?

A. All (DM 10 prior to P1, 5.3.1 P5b and earlier, 5.3.0 P5 RU5 and earlier).

Q. What can an intruder do to my library through the Auto Logon breach?

A. It depends on the intruder's goals and imagination. He/she can just sneak into the library and quietly read others documents or he/she can quickly scramble the entire library by replacing real documents with garbage through random logins. OpenText has rated the vulnerability as HIGH. A very good explanation was also given to what HIGH means.

Q. Can I detect an intruder?

A. I'm afraid you cannot. The only method I know is to enable server logs on all your DM servers and watch for suspicious activity by parsing the logs in the real time. The problem is that no one knows which suspicious activity to expect... If a user comes to you and says that the document history shows that she opened the document, which she did not, you'd better believe her than questioning her memory.

Q. Then what should I do to mitigate the vulnerability?

A. Disable Auto Logon in your DM environment as the DM-32057 bulletin suggests.

Q. Will my users like it?

A. No, they will likely hate you for this. They won't be able to understand why DM is the only application that constantly asks them for a password.

Q. Our users' Windows accounts are now locked more often after I disabled Auto Logon. Why?

A. Ask your users to be more accurate when entering their passwords. The DM Server does not tolerate carelessness.

Q. Can I disable the DM WCF service instead of disabling the Auto Logon feature?

A. You can, but this is insufficient. By disabling the WCF Host service you essentially disable the two out of three communication endpoints – HTTP and Net.TCP; the DCOM endpoint remains and can be utilized for an attack. Moreover, by disabling endpoints you reduce the DM Server's availability to your honest clients. UPD: DM WCF Service publishes 5 endpoints, not 2, in DM 5.3.1.

Q. Is it easy for OpenText to fix the issue in eDOCS DM?

A. Probably it was. A hotfix has been released for DM 5.3.x and DM 10. UPD: my opinion on the hotfix.

Q. Did OpenText know about this issue before?

A. They knew about it since 2013.

Q. Why didn't they fix it then?

A. I think they wanted to release DM 10 first. However, you should ask them, not me.

Q. I'm a hacker. The DM admin has just disabled the Auto Logon feature and I no longer can use other users’ logins... :(

A. Oh, man, I feel for you... Well, you can re-enable Auto Logon via the SQL Passthrough by executing a query like the one shown below using DM API:

  UPDATE DOCSADM.DOCSPARMS SET AUTO_LOGIN='Y'

Hey, DM admin: this is a good example of suspicious activity you must be watching for if you care.

Q. Is Auto Logon the only security breach in eDOCS DM?

A. No, it is not. More issues exist. Here are the other two.