Security Vulnrability found in several Tivoli Storage Manager products, Upgrade your Backup Software
Vladislavs Tatarincevs 31 October 2008 11:22:54
TSM is a great backup software, many customers use it to backup Domino.
IBM Just published a technote, which may be interesting to TSM people.
TSM client buffer overrun security vulnerability
http://www-01.ibm.com/support/docview.wss?rs=0&q1=%2bTivoli+%2bDOmino+%2bagent&uid=swg21322623&loc=en_US&cs=utf-8&cc=us&lang=all
Abstract |
A security vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client. The buffer overrun vulnerability affects the Client Acceptor Daemon (CAD), and also the scheduler if using SCHEDMODE PROMPTED. A workaround and fix are available. |
Content
Problem Summary:
A buffer overrun vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client (APAR IC56773). The buffer overrun can be exploited to crash the client and also potentially to inject malicious code. This vulnerabilty affects two areas of the client:
- the Client Acceptor Daemon (CAD) and its remote agent
- the Backup-Archive client scheduler and scheduler service when the option SCHEDMODE is set to PROMPTED, whether or not the scheduler is managed by the CAD
The CAD is not started by default when the Backup-Archive client is started, except for TSM Express Backup-Archive clients. The CAD must be started separately to be used, and there is no exposure to the CAD vulnerability if it is not started.
The following client functions use the CAD and/or the remote agent:
- the Web Client GUI
- CAD-managed scheduler (the default is the traditional scheduler, except for Macintosh and TSM Express clients)
Six related TSM products do not contain this vulnerability, but some of their functions require the CAD to be running in the Backup-Archive client. These specific products and functions are:
- TSM for Mail: Data Protection (DP) for Domino - Remote GUI only
- TSM for Copy Services - VSS operations only
- TSM for Databases: DP for SQL - VSS operations only
- TSM for Mail: DP for Exchange - VSS operations only
- TSM for Advanced Copy Services - DB2 UDB Integration Module only
- TSM Administration Center - remote access to Web Backup-Archive client GUI only
Workaround:
1. Set the SCHEDMODE option back to POLLING (the default) on the client machine
2. Stop using the CAD and stop its executable (dsmcad), if it was being used
Note: there are no workarounds for TSM Express clients. You must install their fixing client update.
Backup-Archive Client Levels In Support (or Covered by Support Extensions) that contain the vulnerability:
Release | Client Levels |
TSM 5.5 | 5.5.0.0 to 5.5.0.7 |
TSM 5.4 | 5.4.0.0 to 5.4.2.2 |
TSM 5.3 | 5.3.0.0 to 5.3.6.1 |
TSM 5.2 | 5.2.0.0 to 5.2.5.2 |
TSM 5.1 | 5.1.0.0 to 5.1.8.1 |
TSM Express | all levels |
Solution and Fixing Client Levels:
Install these fixing client update packages. Later levels are cumulative and would also include the fix.
Fix Level | Platforms | Link to Download Page or FTP directory |
5.5.1.0* | All clients* | 5.5.1.0 all clients but USS |
5.5.1.0 | z/OS Unix System Services (USS) client | Order PTFs UK38417 and UK38418 |
5.5.1.6* | Windows x32 Windows IA64 Windows x64 Macintosh | 5.5.1.6 Win x32 5.5.1.6 Win IA64 5.5.1.6 Win x64 5.5.1.6 Macintosh |
5.4.2.3* | All clients* | 5.4.2.3 all clients but USS |
5.4.2.3 | z/OS Unix System Services (USS) client | Order PTFs UK41117 and UK41118 |
5.4.2.4* | Windows x32 Windows IA64 Windows x64 Macintosh | 5.4.2.4 Win x32 5.4.2.4 Win IA64 5.4.2.4 Win x64 5.4.2.4 Macintosh |
5.3.6.2 | AIX Macintosh NetWare Linux x86 HP PA-RISC Solaris SPARC Windows x32 Windows x64 | 5.3.6.2 all clients with support extensions |
5.3.6.2 "special" | Linux x86 RHEL 3 Solaris 8 Win 2000 | 5.3.6.2 all "special" clients |
5.2.5.3 | AIX Solaris SPARC | 5.2.5.3 AIX 5.2.5.3 Solaris SPARC |
5.1.8.2 | AIX Solaris SPARC Tru64 UNIX Windows NT | 5.1.8.2 AIX 5.1.8.2 Solaris SPARC 5.1.8.2 Tru64 5.1.8.2 Win NT |
5.3 Express | Windows x32 Windows x64 | 5.3.6.2 Express |
* Note: While the 5.5.1.0 and 5.4.2.3 client updates fixed this security vulnerability for all client platforms in those releases, those Windows and Macintosh clients contain other issues described by flashes Windows IC57348 flash and Macintosh IC57344 flash. You should read these two flashes and evaluate whether to apply the later interim fix (5.5.1.6 or 5.4.2.4), which fixes those issues as well as the security vulnerability for those client platforms.
Acknowledgements:
This problem (ZDI-CAN-321) was brought to IBM's attention by Tipping Point (a division of 3Com) and the Zero Day Initiative
[edited 30 Oct 2008 to clarify Workaround section]
- Comments [0]