Security Bulletin: Privilege escalation vulnerability in IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2021-20532)

Summary

IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments may allow a local user to escalate their privileges. UPDATED: 14 June 2021 - Added 7.1 fix for IBM Spectrum Protect for Virtual Environments: Data Protection for VMware.

Vulnerability Details

CVEID:CVE-2021-20532
**DESCRIPTION:**IBM Spectrum Protect Client could allow a local user to escalate their privileges to take full control of the system due to insecure directory permissions.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198811 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V
| 8.1.0.0-8.1.11.0

Remediation/Fixes

IBM Spectrum Protect Backup-Archive Client
Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.12| Windows| <https://www.ibm.com/support/pages/node/6443671&gt;

IBM Spectrum Protect for
Virtual Environments:
Data Protection for VMware Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.12| Windows| <https://www.ibm.com/support/pages/node/6415103&gt;
7.1
| 7.1.8.11
| Windows
| <https://www.ibm.com/support/pages/node/316625&gt;

IBM Spectrum Protect for
Virtual Environments:
Data Protection for Hyper-V Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.12| Windows
| <https://www.ibm.com/support/pages/node/6415103&gt;

Workarounds and Mitigations

None