A security vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client. The buffer overrun vulnerability affects the Client Acceptor Daemon (CAD), and also the scheduler if using SCHEDMODE PROMPTED. A workaround and fix are available.
This problem applies to product versions that are EOS.
A buffer overrun vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client (APAR IC56773). The buffer overrun can be exploited to crash the client and also potentially to inject malicious code. This vulnerability affects two areas of the client:
- the Client Acceptor Daemon (CAD) and its remote agent
- the Backup-Archive client scheduler and scheduler service when the option SCHEDMODE is set to PROMPTED, whether or not the scheduler is managed by the CAD
The CAD is not started by default when the Backup-Archive client is started, except for TSM Express Backup-Archive clients. The CAD must be started separately to be used, and there is no exposure to the CAD vulnerability if it is not started.
The following client functions use the CAD and/or the remote agent:
- the Web Client GUI
- CAD-managed scheduler (the default is the traditional scheduler, except for Macintosh and TSM Express clients)
Six related TSM products do not contain this vulnerability, but some of their functions require the CAD to be running in the Backup-Archive client. These specific products and functions are:
- TSM for Mail: Data Protection (DP) for Domino - Remote GUI only
- TSM for Copy Services - VSS operations only
- TSM for Databases: DP for SQL - VSS operations only
- TSM for Mail: DP for Exchange - VSS operations only
- TSM for Advanced Copy Services - DB2 UDB Integration Module only
- TSM Administration Center - remote access to Web Backup-Archive client GUI only
1. Set the SCHEDMODE option back to POLLING (the default) on the client machine
2. Stop using the CAD and stop its executable (dsmcad), if it was being used
Note: there are no workarounds for TSM Express clients. You must install their fixing client update.
Backup-Archive Client levels in extended upport that contain the vulnerability:
Note: Version 6.1 and later Backup-Archive Client levels are not affected by this vulnerability.
|TSM 5.5||220.127.116.11 to 18.104.22.168|
|TSM 5.4||22.214.171.124 to 126.96.36.199|
Solution and Client Package Levels Containing the Fix:
Since client maintenance is cumulative, and TSM 5.4 and TSM 5.5 have reached end of support, upgrade to one of the latest client releases in support, which all contain the fix: http://www.ibm.com/support/docview.wss?uid=swg21239415
Otherwise, install the latest version 5.4 or 5.5 fix pack. The fix pack includes the fix for the vulnerability as well as fixes for other issues discovered since the original fixing levels for this vulnerability were released.
|Latest Fix Pack Level||Platforms||Link to Download Page or FTP directory|
|188.8.131.52||All clients except z/OS Unix System Services (USS)||AIX
|184.108.40.206||z/OS Unix System Services (USS) client||Order PTFs UK61527 and UK61528|
|220.127.116.11||All clients except z/OS Unix System Services (USS)||AIX
|18.104.22.168||z/OS Unix System Services (USS) client||Upgrade to and order the 5.5.3 PTFs UK61527 and UK61528|
This problem (ZDI-CAN-321) was brought to IBM's attention by Tipping Point (a division of 3Com) and the Zero Day Initiative
[edited 30 Oct 2008 to clarify Workaround section]
[edited 30 Nov 2008 to add SQL 2000/MySQL technote link]
[edited 2 June 2014 to clean up broken links and remove references to products that are no longer in mainstream or extended support, and identify those which reached end of mainstream support]
|Storage Management||Tivoli Storage Manager Express|
|Storage Management||Tivoli Storage Manager for Advanced Copy Services|
|Storage Management||Tivoli Storage Manager for Copy Services||MS Exchange VSS Snapshot|
|Storage Management||Tivoli Storage Manager for Databases||Data Protection for MS SQL|
|Storage Management||Tivoli Storage Manager for Mail|