IBM Support

Potential Security and Data Loss Issues with TSM Windows and AIX JBB clients - June 2011

Flashes (Alerts)


Abstract

Fixes are available for one security vulnerability in the IBM Tivoli Storage Manager (TSM) Windows Journal Based Backup (JBB) and AIX JBB clients, and one security vulnerability and one potential data loss issue in the TSM Windows clients with alternate data streams (named streams), as described below.

Content

One security vulnerability and one potential data loss issue have been identified in the TSM Windows backup-archive clients with alternate data streams (named streams), and one security vulnerability has been identified in the TSM Windows and AIX JBB clients. Fixes are available (see tables below with the first fixing level for each vulnerability or issue).

IBM's assessment of the base Common Vulnerability Scoring System (CVSS) scores for the security vulnerabilities range between 6.0 and 6.8.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the CVSS is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. For information on CVSS scores, please see www.first.org/cvss.



1. IC77049, CVE-2011-1222, Windows x32, Windows x64, and AIX backup-archive client JBB Local Buffer Overrun:
A potential local buffer overrun vulnerability, which may crash the TSM client or allow malicious code injection, exists in the Windows x32, Windows x64, and AIX Journal Based Backup (JBB) function. The malicious code could, for example, allow a local unauthorized user (a user with a local account) to read, copy, alter, or delete files on the client machine.

CVSS base score: 6.8
Access vector: Local
Access Complexity: Low
Authentication: Single
Temporal Score: 5.0
Exploitability: Unproven
Remediation Level: Official-Fix

Client ReleaseVulnerable Supported Win x32, Win x64, and AIX Client LevelsFirst Level with Fix within that Release for all affected clients
TSM 6.26.2.0.0 through 6.2.1.3
6.2.2
TSM 6.16.1.0.0 through 6.1.3.5
6.1.4
TSM 5.55.5.0.0 through 5.5.2.12
5.5.3
TSM 5.45.4.0.0 through 5.4.3.3
5.4.3.4

Prior versions of TSM that are no longer in support, such as TSM 5.3, are also affected. Those TSM clients should be upgraded to a supported level which includes this fix. There is no workaround.

Note: the fixing levels for the AIX JBB client for this vulnerability are the same as the levels that fixed the client vulnerabilities disclosed in the TSM December 2010 UNIX/Linux Client Security flash: http://www.ibm.com/support/docview.wss?uid=swg21454745. If you already applied the AIX fixes for that previous security flash, you have applied the AIX fix for this vulnerability also.


2. IC77052, CVE-2011-1223, Windows backup-archive client Alternate Data Stream Local Buffer Overrun:
A potential local buffer overrun vulnerability, which may crash the TSM client or allow malicious code injection, exists in Windows backup-archive client alternate data stream processing (also known as named stream processing). The malicious code could, for example, allow a local unauthorized user (a user with a local account) to read, copy, alter, or delete files on the client machine.

UNIX, Linux, and NetWare backup-archive clients are unaffected by this vulnerability.

CVSS base score: 6.0
Access Vector: Local
Access Complexity: High
Authentication: Single
Temporal Score: 4.4
Exploitability: Unproven
Remediation Level: Official-Fix

Client ReleaseVulnerable Supported Windows Client LevelsFirst Level with Fix within that Release for all affected clients
TSM 6.26.2.0.0 through 6.2.1.3
6.2.2
TSM 6.16.1.0.0 through 6.1.3.1
6.1.4*
TSM 5.55.5.0.0 through 5.5.2.10
5.5.3**
TSM 5.45.4.0.0 through 5.4.3.3
5.4.3.4
* = interim fixes 6.1.3.2 through 6.1.3.5 included the fix for all affected client platforms that were delivered with those interim fixes
** = interim fix 5.5.2.12 included the fix for all affected client platforms that were delivered with that interim fix

Prior versions of TSM that are no longer in support, such as TSM 5.3, are also affected. Those TSM clients should be upgraded to a supported level which includes this fix. There is no workaround.


3. IC74905, TSM Windows Backup-Archive client can incorrectly back up EFS encrypted files that have Alternate Data Streams
The Windows client can potentially cause corrupted backup or archive copies of files to be sent to the TSM server when all of these conditions are met:
  • The file is encrypted by Microsoft EFS encryption
  • The file contains at least one alternate (named) data stream
  • The size of the primary (unnamed) data stream is less than 64 KB
  • The sum of the sizes of all alternate data streams is greater than 64 KB

Affected backup and archive copies are invalid. When one of the corrupted files is restored or retrieved, error messages ANS1797E and ANS9999E may be seen, and sometimes error message ANS4987E.

A tool is available from IBM Support that aids in identifying files that could potentially have been affected by IC74905. The tool is run on the client machine and creates a list of all files currently residing on the machine that meet all of the required criteria for this problem.

Note: due to a Microsoft issue with sparse EFS files with Alternate Data Streams on Windows 2003, Windows 2003 R2, and Windows XP (documented in their Knowledge Base article http://support.microsoft.com/kb/2525290), TSM cannot correctly back up and restore sparse EFS files on those operating systems, even with the fix for IC74905. IBM opened APAR IC75758 to document the Microsoft issue.

Client ReleaseAffected Supported Windows Client LevelsFirst Level with Fix within that Release for all affected clients
TSM 6.26.2.0.0 through 6.2.2.0
6.2.2.2
TSM 6.16.1.0.0 through 6.1.4.1
6.1.4.2
TSM 5.55.5.0.0 through 5.5.3.2
5.5.3.3
TSM 5.45.4.0.0 through 5.4.3.3
5.4.3.4

Prior versions of TSM that are no longer in support, such as TSM 5.3, are also affected. Those TSM clients should be upgraded to a supported level which includes this fix. There is no workaround.


SOLUTION:
For all three vulnerabilities or issues, install the TSM client packages that include the fix for your supported TSM client release level. See the tables above for the first fixing level for each vulnerability or issue. Later levels within the release are cumulative and will also contain the fix. See this page for links to the latest fixpack and interim fix update packages for each release: http://www.ibm.com/support/docview.wss?uid=swg21239415.

All three vulnerabilities or issues were identified internally by IBM.

Related Information

[{"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Client","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF033","label":"Windows"}],"Version":"5.4;5.5;6.1;6.2","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
25 September 2022

UID

swg21457604