** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI CSIRT ADVISORY [EGI-ADV-2010-12-16]
Title: HIGH root vulnerabilities in Tivoli Storage Manager (TSM) client software [EGI-ADV-20101216] TLP:WHITE
Multiple vulnerabilities have been found in IBM Tivoli Storage Manager (TSM) client software.
This is a HIGH risk for the EGI infrastructure as a whole, but is CRITICAL for sites running the vulnerable software.
A patch is available from the vendor (see link below).
One of the vulnerabilities would allow unauthorized users with network access to execute commands.
The commands could, for example, allow the attacker to read, copy, alter, or delete files on the client machine.
The other vulnerabilities would allow a local user to read, copy, alter, or delete files, or to
replace system files on the client with arbitrary content.
This issue has been assessed as HIGH by the EGI CSIRT for the EGI infrastructure as a whole
but is CRITICAL for sites running the vulnerable software.
IBM Tivoli Storage Manager (TSM). RedHat packages are named TIVsm-*.
For each release, the vendor has provided the version numbers for vulnerable and fixed patch levels.
Release Vulnerable versions Fixed version
TSM 6.2 188.8.131.52 through 184.108.40.206 6.2.2
TSM 6.1 220.127.116.11 through 18.104.22.168 6.1.4
TSM 5.5 22.214.171.124 through 126.96.36.199 5.5.3
TSM 5.4 188.8.131.52 through 184.108.40.206 220.127.116.11
To mitigate the local user vulnerabilities sites may delete or remove the SUID bit from the dsmtca binary:
This will block local users from running the backup / archive client, but root-initiated backups should continue to work.
At this time, we do not have a confirmed mitigation for the more serious remote user vulnerability.
Component Installation information
Fixes and instructions are available from IBM, linked from the Alert at
Sites running IBM Tivoli Storage Manager should check if they are running a vulnerable version.
These sites should immediately apply the vendor patches.
If it is not possible to apply patches immediately, sites should evaluate the proposed mitigation.
This vulnerability was reported by IBM and Kryptos Logic.
2010-12-14 IBM alert published
2010-12-15 EGI CSIRT / RAT /SVG notified
2010-12-16 EGI advisory published
On behalf of the EGI CSIRT and SVG