===================================================================== CERT-Renater Note d'Information No. 2010/VULN394 _____________________________________________________________________ DATE : 30/09/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running IBM Tivoli Storage Manager FastBack Flash. ====================================================================== http://www-01.ibm.com/support/docview.wss?uid=swg21443820 ______________________________________________________________________ Security fixes available for IBM Tivoli Storage Manager FastBack Flash (Alert) Abstract Fixes are available for security vulnerabilities identified in the following IBM Tivoli Storage Manager Fastback releases: Content Vulnerable Levels: FastBack Release Affected Levels 5.5 5.5.0.0 through 5.5.6.0 6.1 6.1.0.0 through 6.1.0.1 These fixes address issues described in APAR IC69883. Security vulnerabilities exist in the specified versions of IBM Tivoli Storage Manager FastBack. These security vulnerabilities are documented in APAR IC69883 and are described by the following four issues: Issue 1: IBM Tivoli Storage Manager FastBack Mount Service Buffer Overrun Vulnerability Problem Summary: A remote buffer overrun vulnerability exists in IBM Tivoli Storage Manager FastBack Mount, which has the potential to crash the IBM Tivoli Storage Manager FastBack Mount process or to allow malicious code injection. The malicious code could, for example, allow an unauthorized user to read, copy, alter, or delete files on the affected machine. Who is affected? Customers using a vulnerable level of IBM Tivoli Storage Manager FastBack Mount on a system vulnerable to attack are affected. Issue 2: IBM Tivoli Storage Manager FastBack Server Remote Code Execution and Unauthorized Access Vulnerability Problem Summary: The FastBack Client and FastBack Server accept a command by an attacker that can cause remote code to run. Such an attack might allow an unauthorized user to read and write data on the FastBack Server system. Who is affected? Customers using a vulnerable level of IBM Tivoli Storage Manager FastBack Client and Server on a system vulnerable to attack are affected. Issue 3: IBM Tivoli Storage Manager FastBack Server Remote Denial of Service Vulnerability Problem Summary: The FastBack Client and FastBack Server is vulnerable to an attack that might cause the FastBack Server to fail and stop backup operations. Such an attack might cause data not to be backed up. Who is affected? Customers using a vulnerable level of IBM Tivoli Storage Manager FastBack Client and Server on a system vulnerable to attack are affected. Issue 4: IBM Tivoli Storage Manager FastBack Mount Remote Denial of Service Vulnerability Problem Summary: The FastBack Shell and FastBack Mount are vulnerable to an attack that might cause FastBack Mount to fail and stop recovery operations. Such an attack might cause one or more of the following issues for IBM Tivoli Storage Manager FastBack Mount: o Reduced performance o Application freeze o System failure o Data loss Who is affected? Customers using a vulnerable level of IBM Tivoli Storage Manager FastBack Shell and Mount on a system vulnerable to attack are affected. Recommendation: If you are using a vulnerable level of IBM Tivoli Storage Manager FastBack 5.5, install version 5.5.7. This version includes the fixes for the vulnerabilities described in this flash. If you are using a vulnerable level of IBM Tivoli Storage Manager FastBack 6.1, install version 6.1.1. This version includes the fixes for the vulnerabilities described in this flash. FastBack Release Vulnerable levels First level with fix within that release IBM Tivoli Storage Manager FastBack 5.5 5.5.0.0 through 5.5.6.0 5.5.7 Available: September 15, 2010 IBM Tivoli Storage Manager FastBack 6.1 6.1.0.0 through 6.1.0.1 6.1.1 Available: July 30, 2010 Later levels within the specified releases are cumulative and include the fix. APAR IC69883 fixed the following 11 vulnerabilities: ZDI-CAN-700 ZDI-CAN-701 ZDI-CAN-661 ZDI-CAN-662 ZDI-CAN-663 ZDI-CAN-664 ZDI-CAN-656 ZDI-CAN-657 ZDI-CAN-658 ZDI-CAN-659 ZDI-CAN-660 How to obtain the fix: Download the appropriate IBM Tivoli Storage Manager FastBack version by completing the following steps: 1. Go to the IBM Support Fix Central Web site. 2. For Product Group, select Tivoli. Click Continue. 3. For Product, select IBM Tivoli Storage Manager FastBack. Click Continue. 4. For Installed Version, select the appropriate version and click Continue. 5. For Platform, select the appropriate platform. Click Continue. 6. Sign in using your IBM ID and password. 7. In the Identify Fixes window, select Browse fixes. Do not select the checkbox for Do not show fixes that change my installed version. Click Continue. 8. In the Select fixes window, select All fixes. 9. Select the appropriate version to download and click Continue. 10. Select a location to save the code package. Write the location where you save the code package. Acknowledgement: The issues depicted in the APAR above were reported to IBM by TippingPoint. No known customers are affected by these issues. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================