Security Bulletin: Multiple Security Vulnerabilities in IBM Tivoli Storage Manager FastBack (CVE-2015-4931, CVE-2015-4932, CVE-2015-4933, CVE-2015-4934, CVE-2015-4935)

Summary

IBM Tivoli Storage Manager FastBack is affected by multiple security vulnerabilities such as stack based buffer overflow, command injection and remote code execution. These vulnerabilities may cause the server to crash, elevate privileges, or disclose information.

Vulnerability Details

CVEID: CVE-2015-4931**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By sending a crafted packet an attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the server to crash.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104161&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4932**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By sending a crafted packet an attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the server to crash.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104162&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4933**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By sending a crafted packet an attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the server to crash.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104163&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4934**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By sending a crafted packet an attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the server to crash.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104164&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-4935**
DESCRIPTION:** IBM Tivoli Storage Manager FastBack server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By sending a crafted packet an attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the server to crash.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104165&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM Tivoli Storage Manager Fastback 6.1.0.0 through 6.1.12.0

Remediation/Fixes

_FastBack Release _

| First FixingVRMF Level| Platform| APAR| Link to fix
—|—|—|—|—
6.1 | 6.1.12.1| Windows| None| http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FIBM+Tivoli+Storage+Manager+FastBack&fixids=6.1.12.1-TIV-TSMFB-FP001&source=SAR&function=fixId&parent=ibm/Tivoli

Workarounds and Mitigations

None