Security Vulnerability - CVE-2011-1220: IBM Tivoli Endpoint lcfd.exe opts Argument Remote Code Execution / CVE-2011-2330: IBM Tivoli Endpoint has an unspecified "built-in account"

Flash (Alert)


Abstract

A malicious HTTP POST request where the parameter is larger than 256 bytes could cause a stack buffer overrun in the web server on the endpoint, potentially allowing a remote attacker to execute arbitrary code on the endpoint. Authentication is required to exploit this vulnerability, however the default HTTP password can be used until the endpoint initially connects to the server.
The vulnerability affects all versions of Tivoli Management Framework. This issue is addressed by APAR IZ90238 and the fix is included in the endpoint patch.

Content

Problem Summary:

A high risk vulnerability has been identified in all versions of Tivoli Management Framework potentially allowing a remote attacker to execute arbitrary code within the web server on the endpoint (CVE-2011-1220). All versions of Tivoli Management Framework have an unspecified "built-in account" that is easily accessed, which makes it easier for remote attackers to send requests to restricted pages via a session on TCP port 9495 (CVE-2011-2330). These vulnerabilities were reported to IBM by TippingPoint Zero Day Initiative and discovered by Tenable Network Security (reference number ZDI-CAN-964/ZDI-11-169).

(1) CVE-2011-1220
The web server on the endpoint has a stack buffer in 256 bytes length to keep the HTTP POST parameter. If the parameter is larger than 256 bytes, the stack buffer overrun could occur.

(2) CVE-2011-2330
The default HTTP password is set when the Tivoli endpoint is installed. The default HTTP password is overridden with a new random password when the endpoint initially connects to the server. However, if the endpoint never connects to the server, the default HTTP password can be used to change the endpoint configuration from the web browser.

CVSS Scores:
Using the Common Vulnerability Scoring System (CVSS) v2, the security rating for this issue is:

CVSS: Base Score 9.0
CVSS Temporal Score: 7.0 (Note: See http://xforce.iss.net/xforce/xfdb/67631 for current Temporal Score)
CVSS Environmental Score: Undefined*

CVSS String: (AV:N/AC:L/Au:S/C:C/I:C/A:C)

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

NOTE:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Recommendation:

(1) CVE-2011-1220
IBM recommends that Tivoli Management Framework customers immediately apply the available patches.
The details below identify the appropriate patch for each release:

Fix VRMF TMF Remote Code Vulnerability APAR Download URL
4.1.1-LCF-0076 4.1.1 IZ90238 http://www.ibm.com/support/docview.wss?uid=swg24029908
4.3.1-LCF-0012LA 4.3.1 IZ90238 Contact IBM Technical Support

Note: There are no patches available for 4.1 or earlier versions. Please apply the above patch after upgrading Tivoli Management Framework to 4.1.1 or later version.

(2) CVE-2011-2330
If the Tivoli Management Framework administrator in your organization knows that your endpoint is registered, the default password is no longer used. In that case, no action is required.
In order not to use the default HTTP password, specify the HTTP password when you install the Tivoli endpoint as follows:
  • (Windows, OS/2) Specify -Dhttpd_pw=yourpassword in the Option field of the installation wizard
  • (Unix, Linux, Windows, Netware) Specify -L "-Dhttpd_pw=yourpassword" as a parameter of the winstlcf command
  • (OS/400) Specify -L "-Dhttpd_pw=yourpassword" as a parameter of the w4inslcf.pl command

Please note that the specified HTTP password can be seen and changed by the Tivoli Management Framework administrator after the endpoint connects to the server.
If your organization does not have an Tivoli Management Framework administrator and the endpoint is not used any more, please refer to the Unmanaged Endpoint section and remove the endpoint as needed.

Workaround:
In case it is not possible to apply the patch quickly, you can work around the issue by disabling the function to change the configuration from a web browser. Use either of the following values for the http_disable configuration option on the endpoint:

"1" Anyone can use a browser to view the configuration data, but no one can use a browser to reconfigure the endpoint.
"2" No one can use a browser to view or reconfigure the endpoint.

Follow these steps to change the http_disable configuration option on the endpoint:

1. Run the wep command:
wep endpoint_label set_config http_disable=1 (or 2)
2. Restart the endpoint

Unmanaged Endpoint:

If the Tivoli endpoint is managed by a Tivoli Management Framework administrator in your organization, please ask the administrator to apply the patch listed in the recommendation section and upgrade the Tivoli endpoint. Do not perform any actions by yourself because the Tivoli endpoint is managed by the central server. Otherwise, the Tivoli Management Framework based applications may become inoperative on your system.
If your organization does not have an administrator and the endpoint is not used any more, please refer to the following information and remove the endpoint as needed.

(1) How to determine whether the Tivoli endpoint is running
Please check whether the specified process / job listed below is running on your system. If the process / job is not running, the Tivoli endpoint is not running so there is no security vulnerability.
(Unix, Linux) The lcfd process
(Windows, OS/2) The lcfd.exe process
(NetWare) The LCFD.NLM process
(OS/400) The QLCFD job

(2) How to determine whether the Tivoli endpoint is installed
The Tivoli Management Framework environment is typically not registered in the operating system. (Refer to item number 5 below for exceptions). Therefore, the operating system command (e.g. rpm, lslpp, etc.) does not show the Tivoli endpoint as installed software.

Please check the existence of the appropriate file listed below to determine whether the Tivoli endpoint is installed or not.
(Unix, Linux) The lcfd executable file
(Windows) The lcfd.exe executable file (or the "Tivoli Endpoint" service)
(OS/2) The lcfd.exe executable file
(NetWare) The LCFD.NLM module file
(OS/400) The QTMELCF library

The files are typically located in the installation directory of the Tivoli endpoint. The following link describes the default directory structure of the Tivoli endpoint:
http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.frmwrk.doc/plan230.htm

(3) How to determine the version of the Tivoli endpoint
There is a last.cfg file, a text file that contains the "lcfd_version" key, in the installation directory of the Tivoli endpoint. The value of the "lcfd_version" shows the version of the Tivoli endpoint.
For example, lcfd_version=43100

(4) How to remove the Tivoli endpoint
The following links describe how to uninstall the Tivoli endpoint:
(Unix, Linux, Windows, OS/2, NetWare) http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.frmwrk.doc/instguid313.htm#laa25546
(OS/400) http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.frmwrk.doc/instguid408.htm#baa38356

(5) How to remove the Tivoli endpoint supplied with an operating system
(AIX) The AIX operating system V4, V5, V6, and V7 installation image includes the Tivoli endpoint. If it is installed, the lslpp command shows the program "Tivoli_Management_Agent.client.rte". The Tivoli endpoint is not started by default. The installp command can be used to remove the Tivoli endpoint.
(OS/400) The i5/OS V5 installation image includes the Tivoli endpoint. If it is installed, the DSPSFWSRC command shows the program "1TMELCF:TIVOLI MANAGEMENT AGENT". The Tivoli endpoint is not started by default. Refer to item number 4 to remove it.


Date of Creation/Update Summary of Changes
May 30, 2011 Flash published
June 10, 2011 Added the description and action for CVE-2011-2330
Added OS/400 to Platform(s)
Changed the CVSS Scores section (updating the Temporal Score)
Added the Unmanaged Endpoint section

Related information

Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database
CVE-2011-1220
CVE-2011-2330

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Management Framework

Software version:

3.7.1, 4.1, 4.1.1, 4.3.1

Operating system(s):

AIX, HP-UX, Linux, OS/2, OS/400, Solaris, Windows

Reference #:

1499146

Modified date:

2011-06-10

Translate my page

Machine Translation

Content navigation