IBM Support

Security Bulletin: Confidential data exposure when restoring Microsoft Exchange mailboxes which have the same alias defined CVE-2015-4950

Security Bulletin


Summary

In environments with duplicated mailbox aliases, FlashCopy Manager for Microsoft Exchange, Data Protection for Microsoft Exchange, and FastBack for Microsoft Exchange may open and restore the wrong mailbox.

Vulnerability Details


CVEID: CVE-2015-4950
DESCRIPTION:
IBM Tivoli Storage FlashCopy Manager, Tivoli Storage Manager for Mail, and Tivoli Storage Manager FastBack for Microsoft Exchange could allow a local user with elevated privileges to obtain sensitive information by manipulating mailbox names that share the same alias.

For example:

Mailbox Display Name Alias
mailbox1 sales
mailbox2 sales

When two mailboxes have the same alias, users may encounter the following problems when using affected software:

  • the Mailbox Restore Browser interface may populate mailboxes with the folders and messages from a different mailbox than the one intended
  • restoring a mailbox via the CLI interface, using the alias instead of the mailbox display name, may restore a different mailbox than the one intended
  • the mailbox history may not correctly represent the mailboxes that share the same alias

In the case of the product, Tivoli Storage Manager Fastback for Microsoft Exchange, the software may also open the wrong mailbox when using the "Open Mailbox" function. Subsequently, folders and messages could be restored to that incorrect mailbox.

CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104954 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 2.1, 2.2, 3.1, 3.2, and 4.1
Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 6.1, 6.3, 6.4, and 7.1
Tivoli Storage Manager Fastback for Microsoft Exchange 6.1

Remediation/Fixes


Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Server

Affected V.R Fixing VRMF APAR Remediation/First Fix
4.1 4.1.1 IT04251 Note that 4.1.1 is no longer available for download. You can download 4.1.4 or higher to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/
3.2 3.2.1.7 IT04251 Note that 3.2.1.7 is no longer available for download. You can download 3.2.1.9 to obtain the fix:
ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/

However, this product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.4.x as the FlashCopy Manager for Microsoft Exchange 3.2.x component. Therefore, you may install and use the 6.4.1.4 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
3.1 None IT04251 This product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.3.x as the FlashCopy Manager for Microsoft Exchange 3.1.x component. Therefore, you may install and use the 6.3.1.3 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
2.2 None IT04251 This product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.1.x as the FlashCopy Manager for Microsoft Exchange 2.2.x component. Therefore, you may install and use the 6.1.3.6 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
2.1 None IT04251 This release of the product is end of support and is not eligible for support extensions. Therefore, no fix is planned. IBM recommends upgrading to a fixed, supported version/release/platform of the product.

However, this product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.1.x as the FlashCopy Manager for Microsoft Exchange 2.1.x component. Therefore, you may install and use the 6.1.3.6 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.


Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Affected V.R Fixing VRMF APAR Remediation/First Fix
7.1 7.1.0.2 IT04251 Download packages for Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1.0 interim fix packages (7.1.0.x) and READMEs have been removed from the web as they contain unremediated security vulnerabilities. The latest version of 7.1 (7.1.6) contains fixes for the most recent known security and product issues, and can be found using this link:
http://www.ibm.com/support/docview.wss?uid=swg24042166
If you have any questions, please contact IBM support.
6.4 6.4.1.4 IT04251 Note that 6.4.1.4 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows/
6.3 6.3.1.3 IT04251 Note that 6.3.1.3 is no longer available for download. You can download 6.3.1.6 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/
6.1 6.1.3.6 IT04251 ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v613/x64/


Tivoli Storage Manager FastBack for Microsoft Exchange

Workarounds and Mitigations


For the products:
- Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange

two workarounds exist for this problem:
1) Use the CLI interface to restore the mailbox by specifying mailbox GUID or display name instead of the alias.
2) Use the Microsoft Exchange Management Console or Powershell commands to rename the duplicated mailbox alias to a unique value

For the product:
- Tivoli Storage Manager FastBack for Microsoft Exchange

three workarounds exist for this problem:
1)) Open a PST file and restore messages to the PST file. Then, import the PST file contents into the mailbox.
2) Restore messages using the "SMTP Restore" option
3) Use the Microsoft Exchange Management Console or Powershell commands to rename the duplicated mailbox alias to a unique value.

Get Notified about Future Security Bulletins

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

13 April 2018 - Fix download links
13 January 2017: Fixed link to Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1.0.2 interim fix.
02 September 2015: Revised 3.2.1.7 fix row to indicate that this fix is now available.
10 August 2015: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Manager FastBack for Microsoft Exchange 6.1
Storage Management Tivoli Storage FlashCopy Manager FlashCopy Manager for Microsoft Exchange Windows 2.1, 2.2, 3.1, 3.2, 4.1

Document information

More support for: Tivoli Storage Manager for Mail
Data Protection for MS Exchange

Software version: 6.1, 6.3, 6.4, 7.1

Operating system(s): Windows

Reference #: 1963629

Modified date: 16 April 2018