IBM TSM for Virtual Environments 6.4.x < 6.4.3.4 / 7.1.x < 7.1.6.0 RCE

2016-08-26T00:00:00
ID TIVOLI_STORAGE_MANAGER_VIRTUAL_ENVIRONMENTS_VMWARE_CVE-2016-2988.NASL
Type nessus
Reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-09-02T00:00:00

Description

The version of IBM Tivoli Storage Manager (TSM) for Virtual Environments installed on the remote host is 6.4.x prior to 6.4.3.4 or 7.1.x prior to 7.1.6.0. It is, therefore, affected by an unspecified flaw in the GUI that allows an authenticated, remote attacker in limited cases to exercise certain commands that require administrative credentials without having these credentials.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93127);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-2988");

  script_name(english:"IBM TSM for Virtual Environments 6.4.x < 6.4.3.4 / 7.1.x < 7.1.6.0 RCE");
  script_summary(english:"Checks the version of TSM for Virtual Environments.");

  script_set_attribute(attribute:"synopsis", value:
"A backup application installed on the remote host is affected by a
remote command execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of IBM Tivoli Storage Manager (TSM) for Virtual
Environments installed on the remote host is 6.4.x prior to 6.4.3.4 or
7.1.x prior to 7.1.6.0. It is, therefore, affected by an unspecified
flaw in the GUI that allows an authenticated, remote attacker in
limited cases to exercise certain commands that require administrative
credentials without having these credentials.");
  script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg21988781");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Tivoli Storage Manager for Virtual Environments version
6.4.3.4 / 7.1.6.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2988");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_for_virtual_environments");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments_data_protection_for_vmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tivoli_storage_manager_virtual_environments_installed.nbin", "tivoli_storage_manager_virtual_environments_installed_linux.nbin");
  script_require_keys("installed_sw/Tivoli Storage Manager for Virtual Environments");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

app = 'Tivoli Storage Manager for Virtual Environments';

install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
version = install["version"];
path = install["path"];
hypervisor = install["Hypervisor"];

app += " for " + hypervisor;

if (hypervisor != "VMware")
  audit(AUDIT_INST_VER_NOT_VULN, app, version);

if (version =~ "^6\.4\.")
  fix = "6.4.3.4";
else if (version =~ "^7\.1\.")
  fix = "7.1.6.0";
else
  audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
  audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

port = get_kb_item("SMB/transport");
if (!port) port = 445;

report =
  '\n  Hypervisor        : ' + hypervisor +
  '\n  Path              : ' + path +
  '\n  Installed version : ' + version +
  '\n  Fixed version     : ' + fix + '\n';
security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);