Unprivileged users may be able to invoke privileged commands via SSH. With the right type of network access to the hardware, a skilled user could figure out a way to craft an SSH command to grant themselves privileged access, allowing the user to issue all administrative commands, with the potential to disrupt normal system operation. This patch fixes a security vulnerability that allows a TSSC service user unauthorized access to the attached TS7700.
CVE ID:CVE-2014-3048
DESCRIPTION:
An unspecified vulnerability in IBM System Storage TS7740 Virtualization Engine could allow an attacker with physical access to obtain root level privileges.
CVSS:
CVSS Base Score: 6.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93434 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)
IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB), all microcode versions.
Contact IBM Service at 1-800-IBM-SERV to arrange the application of vtd_exec.195.
Restrict physical access to the TS7700.