Security Bulletin: Multiple Security Vulnerabilities in IBM Tivoli Storage Manager FastBack

Summary

IBM Tivoli Storage Manager FastBack is affected by multiple security vulnerabilities such as stack based buffer overflow, command injection and remote code execution. These vulnerabilities may cause the server to crash, elevate privileges, or disclose information.

Vulnerability Details

CVEID: CVE-2015-1923 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102741&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1924 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102776&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1925 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102778&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1929 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102965&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1930 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102966&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1938 DESCRIPTION: IBM Tivoli Storage Manager Fastback Server could allow a remote unauthenticated attacker to inject a command that would be executed by the server.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103110&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-1941 DESCRIPTION: IBM Tivoli Storage Manager FastBack could allow a remote attacker to read any file on the system by sending a specially crafted packet to a specific TCP port.
CVSS Base Score: 7.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103136&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)

CVEID: CVE-2015-1942 DESCRIPTION: IBM Tivoli Storage Manager FastBack could allow a remote attacker to write and execute a file on the system by sending a specially crafted packet to a specific TCP port.
CVSS Base Score: 9.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103137&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-1948 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103205&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1949 DESCRIPTION: IBM Tivoli Fastback Server could allow a remote attacker to inject commands that would be executed with system access.
CVSS Base Score: 10
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103218&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-1953 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103422&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1954 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103423&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1962 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103548&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1963 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103549&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1964 DESCRIPTION: IBM Tivoli Storage Manager FastBack Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103550&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1965 DESCRIPTION: IBM Tivoli Storage FastBack Manager Server is vulnerable to a stack based buffer overflow, which would allow a remote attacker to cause the server to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103551&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-1986 DESCRIPTION: IBM Tivoli Storage Manager Fastback Server could allow a remote unauthenticated attacker to inject a command that would be executed by the server.
CVSS Base Score: 10
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103822&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM Tivoli Storage Manager FastBack 6.1.0.0 through 6.1.11.1.

Remediation/Fixes

_FastBack Release _

| First FixingVRMF Level| Platfom| APAR| Link to fix
—|—|—|—|—
6.1 | 6.1.12| Windows| None| <http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FTivoli%2FIBM+Tivoli+Storage+Manager+FastBack&gt;

Workarounds and Mitigations

None