Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408)
Unauthorized Tivoli Storage Manager client sessions using the ASNODENAME option may run as authorized sessions allowing the user to generate or retrieve backup data for which they are not authorized.
DESCRIPTION: Tivoli Storage Manager clients can use the ASNODENAME option which allows the client session to run as a proxy for another client to which they have been granted proxy authority. The Tivoli Storage Manager server fails to adequately check the authorization of client sessions using the ASNODENAME option and runs the session as an authorized session. As a result, unauthorized users with proxy authority can generate and retrieve backup data that they would otherwise not be allowed to write or access.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107434 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) server levels:
- 184.108.40.206 through 7.1.3.x
- 220.127.116.11 through 18.104.22.168
- 6.2 all levels
- 6.1 all levels
- 5.5 all levels
|Tivoli Storage Manager Server Release||Fixing VRM Level||APAR||
|Link to Fix / Fix Availability Target|
Note that this APAR will not be listed in the startup banner.
|Please contact IBM support to obtain cumulative e-fix level 22.214.171.124 or later. Note that this APAR will not be listed in the startup banner.|
|6.2, 6.1, and 5.5||IBM recommends upgrading the TSM server to a fixed level (7.1.4 or 126.96.36.199) or use the REVOKE PROXY command to remove all unauthroized users that have been granted proxy access (see Workarounds and Mitigation below).|
Workarounds and Mitigations
To eliminate exposure to this vulnerability, only grant proxy access to authorized users. The QUERY PROXY command can be used to determine the users that have been granted proxy access. Use the REVOKE PROXY command to remove all unauthorized users that have been granted proxy access.
You should update the configuration of users running unauthorized who should be running as authorized users. An authorized user is any non-root user who has read and write access to the stored password (TSM.PWD file), or anyone who knows the password and enters it interactively. Authorized users may use the PASSWORDDIR option to define the directory where their copy of the TSM.PWD file is saved. Details on authorized users are described in the IBM Knowledge Center documentation for Tivoli Storage Manager under the section entitled "UNIX and Linux client root and authorized user tasks".
Get Notified about Future Security Bulletins
05 February 2016 - Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
|Storage Management||IBM Spectrum Protect Extended Edition||Server||AIX, HP-UX, Linux, Solaris||5.5, 6.1, 6.2, 6.3, 7.1||All Editions|
More support for:
Tivoli Storage Manager
Software version: 5.5, 6.1, 6.2, 6.3, 7.1
Operating system(s): AIX, HP-UX, Linux, Solaris
Software edition: All Editions
Reference #: 1975957
Modified date: 05 February 2016
Translate this page: