CVE-2020-5315
📋 TL;DR
Dell EMC Repository Manager (DRM) version 3.2 stores proxy server passwords in plain text in a local database. This allows any authenticated local user with file system access to read these passwords and potentially impersonate the proxy user. Only DRM 3.2 installations with proxy configuration are affected.
💻 Affected Systems
- Dell EMC Repository Manager (DRM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious local user obtains proxy credentials, uses them to access external systems with the proxy user's privileges, potentially leading to data exfiltration, lateral movement, or further compromise.
Likely Case
Local user reads stored proxy password, uses it to authenticate to the proxy server, gaining unauthorized network access or performing actions as the proxy user.
If Mitigated
With proper access controls limiting local file system access to trusted administrators only, the exposure is contained to authorized personnel.
🎯 Exploit Status
Exploitation requires local authenticated access to the file system where DRM stores its database; no special tools or skills needed beyond file reading.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: DRM version 3.2.1 or later
Vendor Advisory: https://www.dell.com/support/article/us/en/04/sln319925/dsa-2020-001-dell-emc-repository-manager-drm-sensitive-data-exposure-vulnerability?lang=en
Restart Required: Yes
Instructions:
1. Download DRM version 3.2.1 or later from Dell support site. 2. Install the update following Dell's installation guide. 3. Restart the DRM service or system as required.
🔧 Temporary Workarounds
Remove proxy configuration
allIf proxy is not required, remove the proxy server configuration from DRM to eliminate the stored password.
Open DRM GUI, navigate to Settings > Proxy, and clear proxy server details.
Restrict file system permissions
allLimit access to the DRM database directory to only necessary administrative users.
Windows: icacls "C:\ProgramData\Dell\DRM\database" /deny Users:(R,W,X)
Linux: chmod 700 /opt/dell/drm/database
🧯 If You Can't Patch
- Restrict local user access to the DRM host to trusted administrators only.
- Monitor access to the DRM database files for unauthorized read attempts.
🔍 How to Verify
Check if Vulnerable:
Check DRM version via GUI (Help > About) or command line: 'drm --version' on Linux or check installed programs on Windows. If version is 3.2 and proxy is configured, it is vulnerable.Check Version:
drm --versionVerify Fix Applied:
After updating, confirm version is 3.2.1 or later. Check that proxy passwords are no longer stored in plain text by inspecting the database file (if accessible) for encrypted or absent passwords.📡 Detection & Monitoring
Log Indicators:
- Unusual file access events to DRM database files by non-admin users
- Failed authentication attempts to proxy server from unexpected sources
Network Indicators:
- Proxy authentication from unexpected IP addresses or user accounts
SIEM Query:
source="windows_security" EventID=4663 ObjectName="*\Dell\DRM\database*" AND AccessMask=0x1