IBM Support

Security Bulletin: Possibility for Accidental Disclosure of Microsoft Exchange Mailboxes to Unauthorized Users (CVE-2013-3976)

Flashes (Alerts)


Abstract

Due to a problem in the Data Protection for Exchange and FlashCopy Manager for Exchange components, once a mailbox is restored into a .PST file, each individual .PST file will be created as expected, but the contents of that .PST file may not be the contents associated with that mailbox name.

Content

VULNERABILITY DETAILS:

DESCRIPTION:
When a Microsoft Exchange email user accidentally deletes an email, folder, or other information from their mailbox, the Microsoft Exchange Administrator can recover these items by restoring the entire user mailbox from backup into a .PST file using either:

  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server, or
  • Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Server

Once the mailbox is restored into a .PST file, the mailbox owner can then use Microsoft Outlook to access the contents of the .PST file as a "Local Copy" of their mail file.

When restoring multiple mailboxes via a single restore operation, the result should be that there is one .PST file per mailbox, named like the mailbox, with the respective mailbox contents restored into that file.

Instead, when performing a restore of multiple mailboxes via single restore operation, each individual .PST file will be created as expected, but the contents of that .PST file may not be the contents associated with that mailbox name.

Therefore, if the Microsoft Exchange Administrator did not discover the restore problem before distributing the .PST files to the respective mailbox owners, the .PST file recipient may receive mailbox contents other than their own.

CVEID: CVE-2013-3976
CVSS Base Score: 1.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84881 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:N/A:N)


AFFECTED PRODUCTS AND VERSIONS:
  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 6.1 and 6.3
  • Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Sever 2.1, 2.2, and 3.1


REMEDIATION:


Data Protection for Microsoft Exchange Version
First Fixing VRMF Level
APAR
Link to Fix
or Other Recommendation
6.3
6.3.1
IC81223
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntexch/v631/windows/
6.1
6.1.3.4
IC81223
ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v613/

FlashCopy Manager for Microsoft Exchange Version
First Fixing VRMF Level
APAR
Link to Fix
or Other Recommendation
3.1
3.1.1
IC81223
Note that 3.1.1 is no longer available for download. You can download 3.2.1 to obtain this fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v3r2/windows/v321/
2.2
N/A
IC81223
  • Upgrade to fixing 3.1 level, or newer level
  • use the circumvention
  • use install and use the Data Protection for Microsoft Exchange 6.1 fix which provides equivalent functionality when used in an a FlashCopy Manager environment.
2.1
N/A
IC81223
  • Upgrade to fixing 3.1 level, or newer level
  • use the circumvention
  • use install and use the Data Protection for Microsoft Exchange 6.1 fix which provides equivalent functionality when used in an a FlashCopy Manager environment.


WORKAROUND(S):
Perform restore operations to .PST files by specifying only one mailbox name per operation.

MITIGATION(S):
See Workaround above.


REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2013-3976
X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/84881


ACKNOWLEDGEMENT
None

CHANGE HISTORY
19 July 2013: Original Copy Published
05 February 2018 - FlashCopy Manager 3.1.1 fix is no longer available for download; update link to point to 3.2.1



*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"FlashCopy Manager for Microsoft Exchange","Platform":[{"code":"PF033","label":"Windows"}],"Version":"2.1;2.2;2.2.1;3.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SSTG2D","label":"Tivoli Storage Manager for Mail"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Data Protection for MS Exchange","Platform":[{"code":"","label":""}],"Version":"6.1;6.1.1;6.1.2;6.1.3;6.3","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
25 September 2022

UID

swg21644407

Page Feedback