Security Bulletin
Summary
Unauthorized Tivoli Storage Manager client sessions using the ASNODENAME option may run as authorized sessions allowing the user to generate or retrieve backup data for which they are not authorized.
Vulnerability Details
CVEID: CVE-2015-7408
DESCRIPTION: Tivoli Storage Manager clients can use the ASNODENAME option which allows the client session to run as a proxy for another client to which they have been granted proxy authority. The Tivoli Storage Manager server fails to adequately check the authorization of client sessions using the ASNODENAME option and runs the session as an authorized session. As a result, unauthorized users with proxy authority can generate and retrieve backup data that they would otherwise not be allowed to write or access.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107434 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) server levels:
- 7.1.0.0 through 7.1.3.x
- 6.3.0.0 through 6.3.5.0
- 6.2 all levels
- 6.1 all levels
- 5.5 all levels
Remediation/Fixes
Tivoli Storage Manager Server Release | Fixing VRM Level | APAR | Platform | Link to Fix / Fix Availability Target |
7.1 | 7.1.4 | IT13609 | AIX HP-UX Linux Solaris | http://www.ibm.com/support/docview.wss?uid=swg24041416 Note that this APAR will not be listed in the startup banner. |
6.3 | 6.3.5.1 | IT13609 | AIX HP-UX Linux Solaris | Please contact IBM support to obtain cumulative e-fix level 6.3.5.110 or later. Note that this APAR will not be listed in the startup banner. |
6.2, 6.1, and 5.5 | IBM recommends upgrading the TSM server to a fixed level (7.1.4 or 6.3.5.1) or use the REVOKE PROXY command to remove all unauthroized users that have been granted proxy access (see Workarounds and Mitigation below). |
Workarounds and Mitigations
To eliminate exposure to this vulnerability, only grant proxy access to authorized users. The QUERY PROXY command can be used to determine the users that have been granted proxy access. Use the REVOKE PROXY command to remove all unauthorized users that have been granted proxy access.
You should update the configuration of users running unauthorized who should be running as authorized users. An authorized user is any non-root user who has read and write access to the stored password (TSM.PWD file), or anyone who knows the password and enters it interactively. Authorized users may use the PASSWORDDIR option to define the directory where their copy of the TSM.PWD file is saved. Details on authorized users are described in the IBM Knowledge Center documentation for Tivoli Storage Manager under the section entitled "UNIX and Linux client root and authorized user tasks".
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
05 February 2016 - Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21975957