IBM Support

Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408)

Security Bulletin


Unauthorized Tivoli Storage Manager client sessions using the ASNODENAME option may run as authorized sessions allowing the user to generate or retrieve backup data for which they are not authorized.

Vulnerability Details

CVEID: CVE-2015-7408
Tivoli Storage Manager clients can use the ASNODENAME option which allows the client session to run as a proxy for another client to which they have been granted proxy authority. The Tivoli Storage Manager server fails to adequately check the authorization of client sessions using the ASNODENAME option and runs the session as an authorized session. As a result, unauthorized users with proxy authority can generate and retrieve backup data that they would otherwise not be allowed to write or access.
CVSS Base Score: 2.9
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) server levels:

  • through 7.1.3.x
  • through
  • 6.2 all levels
  • 6.1 all levels
  • 5.5 all levels


Tivoli Storage Manager Server Release Fixing VRM Level APAR

Link to Fix / Fix Availability Target
7.1 7.1.4 IT13609 AIX
Note that this APAR will not be listed in the startup banner.
6.3 IT13609 AIX
Please contact IBM support to obtain cumulative e-fix level or later. Note that this APAR will not be listed in the startup banner.
6.2, 6.1, and 5.5 IBM recommends upgrading the TSM server to a fixed level (7.1.4 or or use the REVOKE PROXY command to remove all unauthroized users that have been granted proxy access (see Workarounds and Mitigation below).

Workarounds and Mitigations

To eliminate exposure to this vulnerability, only grant proxy access to authorized users. The QUERY PROXY command can be used to determine the users that have been granted proxy access. Use the REVOKE PROXY command to remove all unauthorized users that have been granted proxy access.

You should update the configuration of users running unauthorized who should be running as authorized users. An authorized user is any non-root user who has read and write access to the stored password (TSM.PWD file), or anyone who knows the password and enters it interactively. Authorized users may use the PASSWORDDIR option to define the directory where their copy of the TSM.PWD file is saved. Details on authorized users are described in the IBM Knowledge Center documentation for Tivoli Storage Manager under the section entitled "UNIX and Linux client root and authorized user tasks".

Get Notified about Future Security Bulletins


Related information



Change History

05 February 2016 - Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Storage Management IBM Spectrum Protect Extended Edition Server AIX, HP-UX, Linux, Solaris 5.5, 6.1, 6.2, 6.3, 7.1 All Editions

Document information

More support for: Tivoli Storage Manager

Software version: 5.5, 6.1, 6.2, 6.3, 7.1

Operating system(s): AIX, HP-UX, Linux, Solaris

Software edition: All Editions

Reference #: 1975957

Modified date: 05 February 2016

Translate this page: