Weak file permissions exist on several files after the installation of Tivoli Storage Manager Reporting and Monitoring in a Linux or AIX environment. This has the potential of privilege escalation by an attacker.
CVEID: CVE-2015-4927**
DESCRIPTION:** The installation of Tivoli Storage Manager Reporting & Monitoring leaves world-writable files with root ownership on the system for Unix and Linux versions. There is the potential of privilege escalation by an attacker making use of these files.
CVSS Base Score: 7.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104087> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting and Monitoring) 7.1, 6.3, 6.2, and 6.1 versions are affected by this vulnerability.
If the IBM Tivoli Monitoring for Tivoli Storage Manager product is already installed, please use the instructions provided in the Workarounds and Mitigations section.
Tivoli Storage Monitoring for Tivoli Storage Manager Version (Reporting and Monitoring) | First Fixing VRMF Level | Client Platform | Link to Fix / Fix Availability Target |
---|---|---|---|
7.1 | 7.1.3 | AIX | |
Linux | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/reporting/v7r1/7.1.3.000/> | ||
6.3 | 6.3.6 | AIX | |
Linux | <ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/reporting/v6r3/6.3.6.000/> |
NOTES:
The Windows platform is not affected by this security issue.
Extended support customers using IBM Tivoli Monitoring versions 6.2 or 6.1 for Tivoli Storage Manager can use the instructions provided in the Workaround and Mitigations section.
After installation of IBM Tivoli Monitoring for Tivoli Storage Manager Reporting and Monitoring feature, the secureMain
command should be run to set your required security levels for the installed directories.
To update the permission levels on the installed directories, you need to run the secureMain
command.
Syntax
<install_dir>/bin/secureMain [-h install_dir] [-g common_group] [-t type_code] lock
<install_dir>/bin/secureMain [-h install_dir] [-g common_group] unlock
Parameters
install_dir - is the directory path for the IBM Tivoli Monitoring installation. If this parameter is not supplied, the script attempts to determine the location of the installation directory.
For example: /opt/tivoli/tsm/reporting/itm
_
common_group_ - is a group ID common to all of the user IDs that are used to run components in this installation. The user ID that is used to run the installation must also be a member of the group ID specified. The only exception is the root ID, which is not required to be a member of the group ID specified.
type_code - is a component code that belongs to an installed component. You can specify multiple -t
options to create a list of component codes to be processed.
Notes
If the secureMain
command is started with no parameters, the usage text is displayed.
The lock
parameter is used to set more restrictive permissions in an IBM Tivoli Monitoring installation. It must be run after you install or configure components.
When the secureMain
command with the lock parameter is run with no other parameters, the permissions are set to execute permissions (755) for most directories. However, world write permissions (777) are set on a number of directories. When certain components that are commonly run by using multiple user IDs are present in the installation, many more files have world write permissions set.
When the secureMain
command is run with the lock
and -g common_group
parameters set, the permissions are set to execute permissions and the directories have their group owner changed to the common_group
specified. No directories are left with world write permissions. Even when components that are commonly run by using multiple user IDs are present in the installation, no files are set to world write permissions. Additionally, the common_group
value is written to a file and is used for all future invocations of secureMain
command with the lock
parameter in the same installation, unless the -g
common_group
parameter is specified and the common_group
is different from the previous value.
When the secureMain
command is run with the lock
and -t type_code
parameters set, sections of the installation might be skipped when you set permissions to execute permission. Common directories, like bin, config, registry,
and logs
are always processed. Only directories specific to the specified type_code
components are processed. The other component directory trees are skipped.
You can run the secureMain
command with the unlock
parameter to set less strict permissions in an IBM Tivoli Monitoring installation.
Running the secureMain command with the unlock parameter is normally not necessary, but can be run if required. You must run the command before you install or configure components.
When the secureMain
command is run with the unlock parameter does not return the installation to the permission state that it was in before you ran the secureMain
command with the lock parameter. It processes only the common directories, like bin, config, registry,
and logs
.
Example
The following example locks the installation by using the common group itmgroup:
secureMain -g itmgroup lock
The following example locks the base and mq component directories by using the common group itmgroup:
secureMain -g itmgroup -t mq lock