IBM Support

Security Bulletin: Password Disclosure via FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-4949, CVE 2015-6557

Security Bulletin


Summary

The password associated with Tivoli Storage Manager or the Microsoft SQL DB user is displayed in plain text via application pop-up messages for failed operations and in application trace output.

Vulnerability Details


CVEID: CVE-2015-4949
DESCRIPTION:
IBM Tivoli Storage Manager for Databases could allow a local user to see error messages that contain the plain text passwords of users.

When using one of the following applications:

  • Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server
  • Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
  • Tivoli Storage FlashCopy Manager on Windows

pop-up error messages associated with an exception condition generated during a failed backup, restore, or query operation will display the Tivoli Storage Manager password and/or the Microsoft SQL DB user's password in plain text.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104953 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)


CVEID: CVE 2015-6557
DESCRIP
TION:
When application tracing is enabled, these passwords are displayed in plain text in the trace output.

In all cases, the passwords displayed are passwords that the logged in user executing the operation would already know or have access to via their login credentials.

CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106385 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

In the context of pop-up error messages:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 4.1 (for File System backups)
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 4.1

In the context of application tracing:
- Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5, 6.3, 6.4, and 7.1
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5, 6.1, 6.3, 6.4, and 7.1
- Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft SQL Server 3.1, 3.2, and 4.1
- Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 3.1, 3.2, and 4.1

Remediation/Fixes

Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server



Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Affected V.R Fixing VRMF APAR Remediation/First Fix
7.1 7.1.2 IT03480 Note that 7.1.2 is no longer available for download. You can download 7.1.4 or higher to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/tivoli-data-protection/ntexch/v714/
6.4 6.4.1.7 IT03480 Note that 6.4.1.7 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com//storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows/
6.3 6.3.1.5 IT03480 Note that 6.3.1.5 is no longer available for download. You can download 6.3.1.6 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/
6.1 None IT03480 This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
5.5 5.5.1.1 IT03480 ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v551/


Tivoli Storage FlashCopy Manager: FlashCopy Manager for Windows
    Includes fix for the following components:
    - Tivoli Storage FlashCopy Manager MMC Snapin and Base System Services
    - Tivoli Storage FlashCopy Manager for Microsoft SQL Server
    - Tivoli Storage FlashCopy Manager for Microsoft Exchange Server
Affected V.R Fixing VRMF APAR Remediation/First Fix
4.1 4.1.2 IT03480 Note that 4.1.2 is no longer available for download. You can download 4.1.4 or higher to obtain the fix:
ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/
3.2 3.2.1.7 IT03480 Note that 3.2.1.7 is no longer available for download. You can download 3.2.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/
3.1 3.1.1.5 IT03480 Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.
2.2 None IT03480 This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.
2.1 None IT03480 This release reached end of support on September 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

In the context of the pop-up error messages (which only affects the 7.1 and 4.1 releases of the affected software), use one of the following options to mitigate the problem:

  • As pop-up messages are only displayed when using the GUI interface. The command line interface (CLI) is not affected and could be used as a workaround to this problem.
  • Use Windows authentication instead of SQL Server Authentication.
  • Use "generate" as a value for "passwordaccess" option and make sure that a valid password has been stored in the registry.

In the context of application tracing, , use one of the following options to mitigate the problem:
  • Do not to enable application tracing.
  • Use Windows authentication instead of SQL Server Authentication.
  • Use "generate" as a value for "passwordaccess" option and make sure that a valid password has been stored in the registry.

Get Notified about Future Security Bulletins

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

13 April 2018: Fixed 3.1 download information
6 October 2015: Added the link to the Data Protection for Exchange 5.5.1.1 fix.
1 October 2015: Added CVE 2015-6557 to the document title.
30 September 2015: Added CVE# CVE 2015-6557. Note: The description was already included in this document but the CVE information was not provided. Added rows for the 2.1 and 2.2 releases of FlashCopy Manager.
28 September 2015: In the Data Protection for Microsoft Exchange table, the row for the 6.1 release was modified to reflect "N/A" for the "Fixing Level" and the following note was added: "This release reached end of support on April 30, 2015. Support extensions are not available for this release. IBM recommends upgrading to a fixed, supported version/release/platform of the product."
02 September 2015: Added link to the FlashCopy Manager on Windows 3.2.1.7 fix.
18 August 2015: Added link to the Data Protection for Microsoft SQL Server 5.5.6.1 fix.
10 August 2015: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Manager for Mail Data Protection for MS Exchange 5.5, 6.1, 6.3, 6.4, 7.1
Storage Management Tivoli Storage FlashCopy Manager FlashCopy Manager MMC Snapin and Base System Services Windows 3.1, 3.2, 4.1
Storage Management Tivoli Storage FlashCopy Manager FlashCopy Manager for Microsoft Exchange Windows 2.1, 2.2, 3.1, 3.2, 4.1
Storage Management Tivoli Storage FlashCopy Manager FlashCopy Manager for Microsoft SQL Server Windows 2.1, 2.2, 3.1, 3.2, 4.1

Document information

More support for: Tivoli Storage Manager for Databases
Data Protection for MS SQL

Software version: 5.5, 6.3, 6.4, 7.1

Operating system(s): Windows

Reference #: 1963630

Modified date: 06 October 2015