Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408)

Summary

Unauthorized Tivoli Storage Manager client sessions using the ASNODENAME option may run as authorized sessions allowing the user to generate or retrieve backup data for which they are not authorized.

Vulnerability Details

CVEID: CVE-2015-7408**
DESCRIPTION:** Tivoli Storage Manager clients can use the ASNODENAME option which allows the client session to run as a proxy for another client to which they have been granted proxy authority. The Tivoli Storage Manager server fails to adequately check the authorization of client sessions using the ASNODENAME option and runs the session as an authorized session. As a result, unauthorized users with proxy authority can generate and retrieve backup data that they would otherwise not be allowed to write or access.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107434 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following IBM Tivoli Storage Manager (IBM Spectrum Protect) server levels:

• 7.1.0.0 through 7.1.3.x
• 6.3.0.0 through 6.3.5.0
• 6.2 all levels
• 6.1 all levels
• 5.5 all levels

Remediation/Fixes

Tivoli Storage Manager Server Release

| Fixing VRM Level|APAR|**_

Platform_|Link to Fix / Fix Availability Target**
—|—|—|—|—
7.1| 7.1.4| IT13609| AIX
HP-UX
Linux
Solaris| http://www.ibm.com/support/docview.wss?uid=swg24041416
Note that this APAR will not be listed in the startup banner.
6.3| 6.3.5.1| IT13609| AIX
HP-UX
Linux
Solaris| Please contact IBM support to obtain cumulative e-fix level 6.3.5.110 or later. Note that this APAR will not be listed in the startup banner.
6.2, 6.1, and 5.5|
|
|
| IBM recommends upgrading the TSM server to a fixed level (7.1.4 or 6.3.5.1) or use the REVOKE PROXY command to remove all unauthroized users that have been granted proxy access (see Workarounds and Mitigation below).

Workarounds and Mitigations

To eliminate exposure to this vulnerability, only grant proxy access to authorized users. The QUERY PROXY command can be used to determine the users that have been granted proxy access. Use the REVOKE PROXY command to remove all unauthorized users that have been granted proxy access.

You should update the configuration of users running unauthorized who should be running as authorized users. An authorized user is any non-root user who has read and write access to the stored password (TSM.PWD file), or anyone who knows the password and enters it interactively. Authorized users may use the PASSWORDDIR option to define the directory where their copy of the TSM.PWD file is saved. Details on authorized users are described in the IBM Knowledge Center documentation for Tivoli Storage Manager under the section entitled “UNIX and Linux client root and authorized user tasks”.