IBM Tivoli Storage Manager Server vulnerable to buffer overflow

Overview

A buffer overflow condition exists in the IBM Tivoli Storage manager server. If successfully exploited, this vulnerability would allow an attacker to cause a denial-of-service condition or possibly execute arbitrary code.

Description

The IBM Tivoli Storage Manager (TSM) is a remote backup software package that runs on clients and servers. TSM clients must register and authenticate to servers before performing backup functions.

From TippingPoint Advisory TSRT-06-14:
The initial sign-on request contains a field to specify the language. In normal cases we’ve seen, this string is dscenu.txt. Typically the server will validate that the language string is no longer than 0x100 bytes. However, if the first byte of the language string is 0x18, this check will not occur, and a fixed sized buffer will be overrun.

An attacker may be able to craft a malformed sign-on request that triggers the overflow on the TSM Server.

Note that IBM has released the below information on their support site, which conflicts with other public reports:
This problem relates to an internal buffer overflow in TSM but IBM does not believe it is possible to exploit this buffer overflow for remote code execution, however, this exposure can be used to crash the TSM server.

---

Impact

A remote, unauthenticated attacker may be able to cause the TSM server to crash, thereby creating a denial-of-service condition. It may also be possible for the attacker to execute arbitrary code in the context of the TSM server.

---

Solution

Update

An update provided by IBM may address this issue.

---

Restrict access
Restricting access to port 1500/tcp at the network perimeter may mitigate the effects of this vulnerability. Note that an administrator can change the port that the TSM servers use with the port_address parameter.

---

Vendor Information

887249

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

IBM Corporation Affected

Notified: December 05, 2006 Updated: February 05, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www-1.ibm.com/support/docview.wss?uid=swg21250261&gt;
• <http://www.tippingpoint.com/security/advisories/TSRT-06-14.html&gt;
• <http://secunia.com/advisories/23177/&gt;
• <http://www.securityfocus.com/bid/21440&gt;

Acknowledgements

This report was based on information from Tipping Point Advisory TSRT-06-14.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2006-5855
Severity Metric:	0.36 Date Public: