TSM client buffer overrun security vulnerability - Oct 2008

Flash (Alert)


Abstract

A security vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client. The buffer overrun vulnerability affects the Client Acceptor Daemon (CAD), and also the scheduler if using SCHEDMODE PROMPTED. A workaround and fix are available.

This problem applies to product versions that are EOS.

Content


Problem Summary:
A buffer overrun vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client (APAR IC56773). The buffer overrun can be exploited to crash the client and also potentially to inject malicious code. This vulnerability affects two areas of the client:

  • the Client Acceptor Daemon (CAD) and its remote agent
  • the Backup-Archive client scheduler and scheduler service when the option SCHEDMODE is set to PROMPTED, whether or not the scheduler is managed by the CAD
If you have option SCHEDMODE set to POLLING (the default), and do not use the CAD, you are not affected by this vulnerability. The workaround and the packages containing the fix are detailed below.

The CAD is not started by default when the Backup-Archive client is started, except for TSM Express Backup-Archive clients. The CAD must be started separately to be used, and there is no exposure to the CAD vulnerability if it is not started.

The following client functions use the CAD and/or the remote agent:
  • the Web Client GUI
  • CAD-managed scheduler (the default is the traditional scheduler, except for Macintosh and TSM Express clients)

Six related TSM products do not contain this vulnerability, but some of their functions require the CAD to be running in the Backup-Archive client. These specific products and functions are:
  • TSM for Mail: Data Protection (DP) for Domino - Remote GUI only
  • TSM for Copy Services - VSS operations only
  • TSM for Databases: DP for SQL - VSS operations only
  • TSM for Mail: DP for Exchange - VSS operations only
  • TSM for Advanced Copy Services - DB2 UDB Integration Module only
  • TSM Administration Center - remote access to Web Backup-Archive client GUI only

Workaround:
1. Set the SCHEDMODE option back to POLLING (the default) on the client machine
2. Stop using the CAD and stop its executable (dsmcad), if it was being used
Note: there are no workarounds for TSM Express clients. You must install their fixing client update.

Backup-Archive Client levels in extended upport that contain the vulnerability:
Note: Version 6.1 and later Backup-Archive Client levels are not affected by this vulnerability.
    Release Client Levels
    TSM 5.5 5.5.0.0 to 5.5.0.7
    TSM 5.4 5.4.0.0 to 5.4.2.2

Solution and Client Package Levels Containing the Fix:
Since client maintenance is cumulative, and TSM 5.4 and TSM 5.5 have reached end of support, upgrade to one of the latest client releases in support, which all contain the fix: http://www.ibm.com/support/docview.wss?uid=swg21239415
Otherwise, install the latest version 5.4 or 5.5 fix pack. The fix pack includes the fix for the vulnerability as well as fixes for other issues discovered since the original fixing levels for this vulnerability were released.

Latest Fix Pack Level Platforms Link to Download Page or FTP directory
5.5.4.0 All clients except z/OS Unix System Services (USS) AIX
HP-UX PA-RISC
HP-UX Itanium
Linux x86/x86_64
Linux Power
Linux Itanium
Linux zSeries
Mac
NetWare
OS400
Solaris SPARC
Solaris x86
Windows x32
Windows x64
Windows IA64
5.5.3.0 z/OS Unix System Services (USS) client Order PTFs UK61527 and UK61528
5.4.3.0 All clients except z/OS Unix System Services (USS) AIX
HP-UX PA-RISC
HP-UX Itanium
Linux x86/x86_64
Linux Power
Linux zSeries
Mac
NetWare
OS400
Solaris SPARC
Solaris x86
Windows x32
Windows x64
Windows IA64
5.4.3.0 z/OS Unix System Services (USS) client Upgrade to and order the 5.5.3 PTFs UK61527 and UK61528


Acknowledgements:
This problem (ZDI-CAN-321) was brought to IBM's attention by Tipping Point (a division of 3Com) and the Zero Day Initiative

[edited 30 Oct 2008 to clarify Workaround section]
[edited 30 Nov 2008 to add SQL 2000/MySQL technote link]
[edited 2 June 2014 to clean up broken links and remove references to products that are no longer in mainstream or extended support, and identify those which reached end of mainstream support]


Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Manager Express
Storage Management Tivoli Storage Manager for Advanced Copy Services
Storage Management Tivoli Storage Manager for Copy Services MS Exchange VSS Snapshot
Storage Management Tivoli Storage Manager for Databases Data Protection for MS SQL
Storage Management Tivoli Storage Manager for Mail

Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Storage Manager
Client

Software version:

5.1, 5.2, 5.3, 5.4, 5.5

Operating system(s):

AIX, HP-UX, Linux, Macintosh, NetWare, Solaris, TRU64 UNIX, Windows, z/OS

Reference #:

1322623

Modified date:

2008-10-30

Translate my page

Machine Translation

Content navigation