TSM client buffer overrun security vulnerability - Oct 2008

Flash (Alert)


Abstract

A security vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client. The buffer overrun vulnerability affects the Client Acceptor Daemon (CAD), and also the scheduler if using SCHEDMODE PROMPTED. A workaround and fix are available.

Content

Problem Summary:
A buffer overrun vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client (APAR IC56773). The buffer overrun can be exploited to crash the client and also potentially to inject malicious code. This vulnerability affects two areas of the client:

  • the Client Acceptor Daemon (CAD) and its remote agent
  • the Backup-Archive client scheduler and scheduler service when the option SCHEDMODE is set to PROMPTED, whether or not the scheduler is managed by the CAD
If you have option SCHEDMODE set to POLLING (the default), and do not use the CAD, you are not affected by this vulnerability. The workaround and the packages containing the fix are detailed below.

The CAD is not started by default when the Backup-Archive client is started, except for TSM Express Backup-Archive clients. The CAD must be started separately to be used, and there is no exposure to the CAD vulnerability if it is not started.

The following client functions use the CAD and/or the remote agent:
  • the Web Client GUI
  • CAD-managed scheduler (the default is the traditional scheduler, except for Macintosh and TSM Express clients)

Six related TSM products do not contain this vulnerability, but some of their functions require the CAD to be running in the Backup-Archive client. These specific products and functions are:
  • TSM for Mail: Data Protection (DP) for Domino - Remote GUI only
  • TSM for Copy Services - VSS operations only
  • TSM for Databases: DP for SQL - VSS operations only
  • TSM for Mail: DP for Exchange - VSS operations only
  • TSM for Advanced Copy Services - DB2 UDB Integration Module only
  • TSM Administration Center - remote access to Web Backup-Archive client GUI only

Workaround:
1. Set the SCHEDMODE option back to POLLING (the default) on the client machine
2. Stop using the CAD and stop its executable (dsmcad), if it was being used
Note: there are no workarounds for TSM Express clients. You must install their fixing client update.

Backup-Archive Client Levels In Support (or Covered by Support Extensions) that contain the vulnerability:
Release Client Levels
TSM 5.5 5.5.0.0 to 5.5.0.7
TSM 5.4 5.4.0.0 to 5.4.2.2
TSM 5.3 5.3.0.0 to 5.3.6.1
TSM 5.2 5.2.0.0 to 5.2.5.2
TSM 5.1 5.1.0.0 to 5.1.8.1
TSM Express all levels


Solution and Client Package Levels Containing the Fix:
Install the client update packages that include the fix for the vulnerability (see table below). Later levels are cumulative and would also include the fix.

TSM Windows and Macintosh client users:
  • The TSM Windows and Macintosh 5.5.1.0 and 5.4.2.3 clients fix the security vulnerability but contain other issues described by flashes Windows IC57348 flash and Macintosh IC57344 flash. Read these two flashes and evaluate whether to apply the later update packages (5.5.1.6 or 5.4.2.4), which fix those issues as well as the security vulnerability.

Fix Level Platforms Link to Download Page or FTP directory
5.5.1.0 All clients 5.5.1.0 all clients but USS
5.5.1.0 z/OS Unix System Services (USS) client Order PTFs UK38417 and UK38418
5.5.1.6 Windows x32
Windows IA64
Windows x64
Macintosh
5.5.1.6 Win x32
5.5.1.6 Win IA64
5.5.1.6 Win x64
5.5.1.6 Macintosh
5.4.2.3 All clients 5.4.2.3 all clients but USS
5.4.2.3 z/OS Unix System Services (USS) client Order PTFs UK41117 and UK41118
5.4.2.4 Windows x32
Windows IA64
Windows x64
Macintosh
5.4.2.4 Win x32
5.4.2.4 Win IA64
5.4.2.4 Win x64
5.4.2.4 Macintosh
5.3.6.2 AIX
Macintosh
NetWare
Linux x86
HP PA-RISC
Solaris SPARC
Windows x32
Windows x64
5.3.6.2 all clients with support extensions
5.3.6.2 "special" Linux x86 RHEL 3
Solaris 8
Win 2000
5.3.6.2 all "special" clients
5.2.5.3 AIX
Solaris SPARC
5.2.5.3 AIX
5.2.5.3 Solaris SPARC
5.1.8.2 AIX
Solaris SPARC
Tru64 UNIX
Windows NT
5.1.8.2 AIX
5.1.8.2 Solaris SPARC
5.1.8.2 Tru64
5.1.8.2 Win NT
5.3 Express Windows x32
Windows x64
5.3.6.2 Express


Acknowledgements:
This problem (ZDI-CAN-321) was brought to IBM's attention by Tipping Point (a division of 3Com) and the Zero Day Initiative

[edited 30 Oct 2008 to clarify Workaround section]
[edited 30 Nov 2008 to add SQL 2000/MySQL technote link]

Cross Reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Manager Express
Storage Management Tivoli Storage Manager for Advanced Copy Services
Storage Management Tivoli Storage Manager for Copy Services MS Exchange VSS Snapshot
Storage Management Tivoli Storage Manager for Databases Data Protection for MS SQL
Storage Management Tivoli Storage Manager for Mail

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Storage Manager
Client

Software version:

5.1, 5.2, 5.3, 5.4, 5.5

Operating system(s):

AIX, HP-UX, Linux, Macintosh, NetWare, Solaris, TRU64 UNIX, Windows, z/OS

Reference #:

1322623

Modified date:

2008-10-30

Translate my page

Machine Translation

Content navigation