IBM TS3100/TS3200 Web UI Authentication Bypass

`Trustwave's SpiderLabs Security Advisory TWSL2011-018:  
Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface  
  
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-018.txt  
  
Published: 2011-12-20  
Version: 1.0  
  
Vendor: IBM (http://www.ibm.com)  
Product: TS3100/TS3200 Tape Library  
Version affected: Firmware less than A.60  
  
Product description:  
Entry-level tape library designed to provide reliable,high capacity, high  
performance tape backup. The TS3100/TS3200 models and its storage  
management applications are designed to address capacity, performance, data  
protection, reliability, availability, affordability and application  
requirements. It is designed as a functionally rich, entry tape-storage  
solution incorporating LTO Ultrium tape technology.  
  
  
Credit: Martin Murfitt of Trustwave SpiderLabs  
  
Finding: Authentication Bypass (Web Management Console)  
CVE: CVE-2011-1372  
  
The IBM TS3200/TS3200 Web User Interface is vulnerable to an authentication  
bypass attack. By sending a series of requests to the authentication  
function, it is possible to trigger a condition which causes the  
application to grant an access cookie which permits remote administration.  
  
Repeated queries using the following HTTP query arguments provided  
administrative access to the appliance after several tries:  
  
user_level=3&password=aaaaaaaaaaa&login=Log+in'  
  
The password is not believed to be significant. Once access is granted,  
the following cookies are set on the client's browser:  
  
Cookie: RMU_LEVEL=3; RMU_LOGIN=9999  
  
  
Remediation Steps:  
Update firmware version to A.60 or above.  
  
Revision History:  
1/17/11 - Vulnerability disclosed  
11/18/11 - Patch released by vendor  
12/20/11 - Advisory published  
  
  
References  
1. http://www-03.ibm.com/systems/storage/tape/ts3200/  
  
  
About Trustwave:  
Trustwave is the leading provider of on-demand and  
subscription-based information security and payment card  
industry compliance management solutions to businesses and  
government entities throughout the world. For organizations  
faced with today's challenging data security and compliance  
environment, Trustwave provides a unique approach with  
comprehensive solutions that include its flagship  
TrustKeeper compliance management software and other  
proprietary security solutions. Trustwave has helped  
thousands of organizations--ranging from Fortune 500  
businesses and large financial institutions to small and  
medium-sized retailers--manage compliance and secure their  
network infrastructure, data communications and critical  
information assets. Trustwave is headquartered in Chicago  
with offices throughout North America, South America,  
Europe, Africa, China and Australia. For more information,  
visit https://www.trustwave.com  
  
About Trustwave's SpiderLabs:  
SpiderLabs is the advance security team at Trustwave  
responsible for incident response and forensics, ethical  
hacking and application security tests for Trustwave's  
clients. SpiderLabs has responded to hundreds of security  
incidents, performed thousands of ethical hacking exercises  
and tested the security of hundreds of business applications  
for Fortune 500 organizations. For more information visit  
https://www.trustwave.com/spiderlabs  
  
Disclaimer:  
The information provided in this advisory is provided "as  
is" without warranty of any kind. Trustwave disclaims all  
warranties, either express or implied, including the  
warranties of merchantability and fitness for a particular  
purpose. In no event shall Trustwave or its suppliers be  
liable for any damages whatsoever including direct,  
indirect, incidental, consequential, loss of business  
profits or special damages, even if Trustwave or its  
suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or  
limitation of liability for consequential or incidental  
damages so the foregoing limitation may not apply.  
  
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.  
`