Latvia Lotus User Group (www.vlaad.lv)

Security Vulnrability found in several Tivoli Storage Manager products, Upgrade your Backup Software

Vladislavs Tatarincevs  31 October 2008 11:22:54


TSM is a great backup software, many customers use it to backup Domino.

IBM Just published a technote, which may be interesting to TSM people.

TSM client buffer overrun security vulnerability

http://www-01.ibm.com/support/docview.wss?rs=0&q1=%2bTivoli+%2bDOmino+%2bagent&uid=swg21322623&loc=en_US&cs=utf-8&cc=us&lang=all

Abstract
A security vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client. The buffer overrun vulnerability affects the Client Acceptor Daemon (CAD), and also the scheduler if using SCHEDMODE PROMPTED. A workaround and fix are available.
 


Content
Problem Summary:

A buffer overrun vulnerability exists in the IBM Tivoli Storage Manager (TSM) Backup-Archive client (APAR IC56773). The buffer overrun can be exploited to crash the client and also potentially to inject malicious code. This vulnerabilty affects two areas of the client:
  • the Client Acceptor Daemon (CAD) and its remote agent
  • the Backup-Archive client scheduler and scheduler service when the option SCHEDMODE is set to PROMPTED, whether or not the scheduler is managed by the CAD
If you have option SCHEDMODE set to POLLING (the default), and do not use the CAD, you are not affected by this vulnerability. The workaround and fixing levels are detailed below.

The CAD is not started by default when the Backup-Archive client is started, except for TSM Express Backup-Archive clients. The CAD must be started separately to be used, and there is no exposure to the CAD vulnerability if it is not started.

The following client functions use the CAD and/or the remote agent:
  • the Web Client GUI
  • CAD-managed scheduler (the default is the traditional scheduler, except for Macintosh and TSM Express clients)

Six related TSM products do not contain this vulnerability, but some of their functions require the CAD to be running in the Backup-Archive client. These specific products and functions are:
  • TSM for Mail: Data Protection (DP) for Domino - Remote GUI only
  • TSM for Copy Services - VSS operations only
  • TSM for Databases: DP for SQL - VSS operations only
  • TSM for Mail: DP for Exchange - VSS operations only
  • TSM for Advanced Copy Services - DB2 UDB Integration Module only
  • TSM Administration Center - remote access to Web Backup-Archive client GUI only

Workaround:

1. Set the SCHEDMODE option back to POLLING (the default) on the client machine
2. Stop using the CAD and stop its executable (dsmcad), if it was being used
Note: there are no workarounds for TSM Express clients. You must install their fixing client update.

Backup-Archive Client Levels In Support (or Covered by Support Extensions) that contain the vulnerability:
Release Client Levels
TSM 5.5 5.5.0.0 to 5.5.0.7
TSM 5.4 5.4.0.0 to 5.4.2.2
TSM 5.3 5.3.0.0 to 5.3.6.1
TSM 5.2 5.2.0.0 to 5.2.5.2
TSM 5.1 5.1.0.0 to 5.1.8.1
TSM Express all levels



Solution and Fixing Client Levels:

Install these fixing client update packages. Later levels are cumulative and would also include the fix.
Fix Level Platforms Link to Download Page or FTP directory
5.5.1.0* All clients* 5.5.1.0 all clients but USS
5.5.1.0 z/OS Unix System Services (USS) client Order PTFs UK38417 and UK38418
5.5.1.6* Windows x32
Windows IA64
Windows x64
Macintosh
5.5.1.6 Win x32
5.5.1.6 Win IA64
5.5.1.6 Win x64
5.5.1.6 Macintosh
5.4.2.3* All clients* 5.4.2.3 all clients but USS
5.4.2.3 z/OS Unix System Services (USS) client Order PTFs UK41117 and UK41118
5.4.2.4* Windows x32
Windows IA64
Windows x64
Macintosh
5.4.2.4 Win x32
5.4.2.4 Win IA64
5.4.2.4 Win x64
5.4.2.4 Macintosh
5.3.6.2 AIX
Macintosh
NetWare
Linux x86
HP PA-RISC
Solaris SPARC
Windows x32
Windows x64
5.3.6.2 all clients with support extensions
5.3.6.2 "special" Linux x86 RHEL 3
Solaris 8
Win 2000
5.3.6.2 all "special" clients
5.2.5.3 AIX
Solaris SPARC
5.2.5.3 AIX
5.2.5.3 Solaris SPARC
5.1.8.2 AIX
Solaris SPARC
Tru64 UNIX
Windows NT
5.1.8.2 AIX
5.1.8.2 Solaris SPARC
5.1.8.2 Tru64
5.1.8.2 Win NT
5.3 Express Windows x32
Windows x64
5.3.6.2 Express



* Note: While the 5.5.1.0 and 5.4.2.3 client updates fixed this security vulnerability for all client platforms in those releases, those Windows and Macintosh clients contain other issues described by flashes Windows IC57348 flash and Macintosh IC57344 flash. You should read these two flashes and evaluate whether to apply the later interim fix (5.5.1.6 or 5.4.2.4), which fixes those issues as well as the security vulnerability for those client platforms.

Acknowledgements:

This problem (ZDI-CAN-321) was brought to IBM's attention by Tipping Point (a division of 3Com) and the Zero Day Initiative

[edited 30 Oct 2008 to clarify Workaround section]
Comments
No Comments Found

Discussion for this entry is now closed.