Lucene search

HistoryJan 08, 2016 - 12:00 a.m.

IBM TSM for Virtual Environments 6.3.x < 6.3.2.5 / 6.4.x < 6.4.3.1 / 7.1.x < 7.1.4.0 RCE

2016-01-0800:00:00

www.tenable.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.009

Percentile

83.2%

JSON

The version of IBM Tivoli Storage Manager (TSM) for Virtual Environments installed on the remote host is 6.3.x prior to 6.3.2.5, 6.4.x prior to 6.4.3.1, or 7.1.x prior to 7.1.4.0. It is, therefore, affected by multiple vulnerabilities :

An unspecified flaw exists in the user interface that allows an unauthenticated, remote attacker to perform backup and restore operations and to execute TSM administrative commands. (CVE-2015-7425)
A privilege escalation vulnerability exists in the IBM Data Protection Extension. An authenticated, remote attacker can exploit this to select an existing virtual machine from the vSphere inventory and perform a restore operation even though the attacker does not have the privilege level required for the operation. The restore operation will not overwrite the existing virtual machine but instead will create a new virtual machine with the same data as the existing virtual machine.
After the restore creates the new virtual machine, the attacker can then access its unencrypted data, regardless of access permissions to the existing virtual machine data. Note that this issue only applies to version 7.1.x prior to 7.1.4. (CVE-2015-7429)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87823);
  script_version("1.11");
  script_cvs_date("Date: 2018/08/01 17:36:12");

  script_cve_id("CVE-2015-7425", "CVE-2015-7429");
  script_bugtraq_id(79541, 79545);

  script_name(english:"IBM TSM for Virtual Environments 6.3.x < 6.3.2.5 / 6.4.x < 6.4.3.1 / 7.1.x < 7.1.4.0 RCE");
  script_summary(english:"Checks the version of TSM for Virtual Environments.");

  script_set_attribute(attribute:"synopsis", value:
"A backup application installed on the remote host is affected by a
remote command execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of IBM Tivoli Storage Manager (TSM) for Virtual
Environments installed on the remote host is 6.3.x prior to 6.3.2.5,
6.4.x prior to 6.4.3.1, or 7.1.x prior to 7.1.4.0. It is, therefore,
affected by multiple vulnerabilities :

  - An unspecified flaw exists in the user interface that
    allows an unauthenticated, remote attacker to perform
    backup and restore operations and to execute TSM
    administrative commands. (CVE-2015-7425)

  - A privilege escalation vulnerability exists in the IBM
    Data Protection Extension. An authenticated, remote
    attacker can exploit this to select an existing virtual
    machine from the vSphere inventory and perform a restore
    operation even though the attacker does not have the
    privilege level required for the operation. The restore
    operation will not overwrite the existing virtual
    machine but instead will create a new virtual machine
    with the same data as the existing virtual machine.
    After the restore creates the new virtual machine, the
    attacker can then access its unencrypted data,
    regardless of access permissions to the existing virtual
    machine data. Note that this issue only applies to
    version 7.1.x prior to 7.1.4. (CVE-2015-7429)");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21973086");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21973087");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Tivoli Storage Manager for Virtual Environments version
6.3.2.5 / 6.4.3.1 / 7.1.4.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_for_virtual_environments");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments_data_protection_for_vmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies(
    "tivoli_storage_manager_virtual_environments_installed.nbin",
    "tivoli_storage_manager_virtual_environments_installed_linux.nbin"
  );
  script_require_keys("installed_sw/Tivoli Storage Manager for Virtual Environments");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

app = 'Tivoli Storage Manager for Virtual Environments';

get_install_count(app_name:app, exit_if_zero:TRUE);

install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
version = install["version"];
path = install["path"];
hypervisor = install["Hypervisor"];

app += " for " + hypervisor;

if (hypervisor != "VMware")
  audit(AUDIT_INST_VER_NOT_VULN, app, version);

if (version =~ "^6\.3\.")
  fix = "6.3.2.5";
else if (version =~ "^6\.4\.")
  fix = "6.4.3.1";
else if (version =~ "^7\.1\.")
  fix = "7.1.4.0";
else
  audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
  audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

# Differentiate Linux vs Windows
if (get_kb_item("SMB/Registry/Enumerated"))
  port = get_kb_item("SMB/transport");
else
  port = 0;

if (report_verbosity > 0)
{
  report =
    '\n  Hypervisor        : ' + hypervisor +
    '\n  Path              : ' + path +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix + '\n';
  security_hole(port:port, extra:report);
}
else security_hole(port);

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7425

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7429

www-01.ibm.com/support/docview.wss?uid=swg21973086

www-01.ibm.com/support/docview.wss?uid=swg21973087

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.009

Percentile

83.2%

JSON

Related for TIVOLI_STORAGE_MANAGER_VIRTUAL_ENVIRONMENTS_VMWARE_CVE-2015-7426.NASL