IBM942AE3F143444022ABBDD5B6E7994ADFFE2578FD26DCDAB959467C32FC380CA1Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-4927)
EPSS
Percentile
5.1%
Summary
Weak file permissions exist on several files after the installation of Tivoli Storage Manager Reporting and Monitoring in a Linux or AIX environment. This has the potential of privilege escalation by an attacker.
Vulnerability Details
CVEID: CVE-2015-4927**
DESCRIPTION:** The installation of Tivoli Storage Manager Reporting & Monitoring leaves world-writable files with root ownership on the system for Unix and Linux versions. There is the potential of privilege escalation by an attacker making use of these files.
CVSS Base Score: 7.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104087> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting and Monitoring) 7.1, 6.3, 6.2, and 6.1 versions are affected by this vulnerability.
Remediation/Fixes
If the IBM Tivoli Monitoring for Tivoli Storage Manager product is already installed, please use the instructions provided in the Workarounds and Mitigations section.
| Tivoli Storage Monitoring for Tivoli Storage Manager Version (Reporting and Monitoring) | First Fixing VRMF Level | Client Platform | Link to Fix / Fix Availability Target |
|---|---|---|---|
| 7.1 | 7.1.3 | AIX | |
| Linux | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/reporting/v7r1/7.1.3.000/> | ||
| 6.3 | 6.3.6 | AIX | |
| Linux | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/reporting/v6r3/6.3.6.000/> |
NOTES:
The Windows platform is not affected by this security issue.
Extended support customers using IBM Tivoli Monitoring versions 6.2 or 6.1 for Tivoli Storage Manager can use the instructions provided in the Workaround and Mitigations section.
Workarounds and Mitigations
After installation of IBM Tivoli Monitoring for Tivoli Storage Manager Reporting and Monitoring feature, the secureMain command should be run to set your required security levels for the installed directories.
To update the permission levels on the installed directories, you need to run the secureMain command.
Syntax
<install_dir>/bin/secureMain [-h install_dir] [-g common_group] [-t type_code] lock
<install_dir>/bin/secureMain [-h install_dir] [-g common_group] unlock
Parameters
install_dir - is the directory path for the IBM Tivoli Monitoring installation. If this parameter is not supplied, the script attempts to determine the location of the installation directory.
For example: /opt/tivoli/tsm/reporting/itm
_
common_group_ - is a group ID common to all of the user IDs that are used to run components in this installation. The user ID that is used to run the installation must also be a member of the group ID specified. The only exception is the root ID, which is not required to be a member of the group ID specified.
type_code - is a component code that belongs to an installed component. You can specify multiple -t options to create a list of component codes to be processed.
Notes
If the secureMain command is started with no parameters, the usage text is displayed.
The lock parameter is used to set more restrictive permissions in an IBM Tivoli Monitoring installation. It must be run after you install or configure components.
When the secureMain command with the lock parameter is run with no other parameters, the permissions are set to execute permissions (755) for most directories. However, world write permissions (777) are set on a number of directories. When certain components that are commonly run by using multiple user IDs are present in the installation, many more files have world write permissions set.
When the secureMain command is run with the lock and -g common_group parameters set, the permissions are set to execute permissions and the directories have their group owner changed to the common_group specified. No directories are left with world write permissions. Even when components that are commonly run by using multiple user IDs are present in the installation, no files are set to world write permissions. Additionally, the common_group value is written to a file and is used for all future invocations of secureMain command with the lock parameter in the same installation, unless the -g common_group parameter is specified and the common_group is different from the previous value.
When the secureMain command is run with the lock and -t type_code parameters set, sections of the installation might be skipped when you set permissions to execute permission. Common directories, like bin, config, registry, and logs are always processed. Only directories specific to the specified type_code components are processed. The other component directory trees are skipped.
You can run the secureMain command with the unlock parameter to set less strict permissions in an IBM Tivoli Monitoring installation.
Running the secureMain command with the unlock parameter is normally not necessary, but can be run if required. You must run the command before you install or configure components.
When the secureMain command is run with the unlock parameter does not return the installation to the permission state that it was in before you ran the secureMain command with the lock parameter. It processes only the common directories, like bin, config, registry, and logs.
Example
The following example locks the installation by using the common group itmgroup:
secureMain -g itmgroup lock
The following example locks the base and mq component directories by using the common group itmgroup:
secureMain -g itmgroup -t mq lock
Related
