copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0612 - [Win][UNIX/Linux] IBM System Storage: Multiple vulnerabilities

Date: 25 June 2012

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0612
         Cross-site scripting and SQL Injection vulnerabilities in
                        IBM System Storage products
                               25 June 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM System Storage
Publisher:         ISS
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-2172 CVE-2012-2171 

Original Bulletin: 
   http://xforce.iss.net/xforce/xfdb/75236
   http://xforce.iss.net/xforce/xfdb/75239

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM System Storage Storage Manager Profiler SQL injection

ssds-smp-sql-injection (75236)	Medium Risk

Description:

IBM System Storage is vulnerable to SQL injection. A remote attacker could send
specially-crafted SQL statements via the Manager Profiler, which could allow the
attacker to view, add, modify or delete information in the back-end database.

*CVSS:

Base Score:			6.5
  Access Vector:		Network
  Access Complexity:		Low
  Authentication:		Single
  Confidentiality Impact:	Partial
  Integrity Impact:		Partial
  Availability Impact:		Partial
 
Temporal Score:			5.7
  Exploitability:		High
  Remediation Level:		Official-Fix
  Report Confidence:		Confirmed

Consequences:

Data Manipulation

Remedy:

Refer to the IBM Security Bulletin for patch, upgrade or suggested workaround
information. See References.

References:

IBM Security Bulletin: IBM System Storage DS Storage Manager Profiler SQL
Injection and Cross-Site Scripting Vulnerabilities (CVE-2012-2171,
CVE-2012-2172).
https://www-304.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172?lang=en_us

ZSL-2012-5094: IBM System Storage DS Storage Manager Profiler Multiple
Vulnerabilities.
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

BID-54112: IBM System Storage Manager Profiler SQL Injection and Cross Site
Scripting Vulnerabilities
http://www.securityfocus.com/bid/54112

CVE-2012-2171: SQL injection vulnerability in ModuleServlet.do in the Storage
Manager Profiler in IBM System Storage DS Storage Manager before 10.83.xx.18 on
DS Series devices allows remote authenticated users to execute arbitrary SQL
commands via the selectedModuleOnly parameter in a state_viewmodulelog action to
the ModuleServlet URI.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2171

SA49582: IBM System Storage Products Storage Manager Cross-Site Scripting and
SQL Injection Vulnerabilities
http://secunia.com/advisories/49582

Platforms Affected:

IBM System Storage DCS3700
IBM System Storage DS3200
IBM System Storage DS3300
IBM System Storage DS3400
IBM System Storage DS3512
IBM System Storage DS3524
IBM System Storage DS3950
IBM System Storage DS4100
IBM System Storage DS4200
IBM System Storage DS4300
IBM System Storage DS4400
IBM System Storage DS4500
IBM System Storage DS4700
IBM System Storage DS4800
IBM System Storage DS5020
IBM System Storage DS5100
IBM System Storage DS5300
Reported:

Jun 20, 2012

The information within this database may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the
author/distributor (IBM Internet Security Systems X-Force) be held liable for
any damages whatsoever arising out of or in connection with the use or spread of
this information.

For corrections or additions please email xforce@iss.net

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY. 

The information within this database may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall IBM be held
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information.

About IBM Internet Security Systems
IBM Internet Security Systems is a trusted security advisor to thousands of the
world's leading businesses and governments, helping to provide pre-emptive
protection for networks, desktops and servers. The IBM Proventia integrated
security platform is designed to automatically protect against both known and
unknown threats, helping to keep networks up and running and shield customers
from online attacks before they impact business assets. IBM Internet Security
Systems products and services are based on the proactive security intelligence
of its X-Force research and development team an unequivocal world authority
in vulnerability and threat research. The IBM Internet Security Systems product
line is also complemented by comprehensive Managed Security Services and
Professional Security Services. For more information, visit the IBM Internet
Security Systems Web site at www.iss.net or call 800-776-2362.

- -----------------------------------------------------------------------------

IBM System Storage Manager Profiler cross-site scripting

ssds-multiple-mp-xss (75239)	Medium Risk

Description:

IBM System Storage is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input by the Manager Profiler. A remote attacker
could exploit this vulnerability using specially-crafted URL to execute script
in a victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal the
victim's cookie-based authentication credentials.

*CVSS:

Base Score:			4.3
  Access Vector:		Network
  Access Complexity:		Medium
  Authentication:		None
  Confidentiality Impact:	None
  Integrity Impact:		Partial
  Availability Impact:		None
 
Temporal Score:			3.7
  Exploitability:		High
  Remediation Level:		Official-Fix
  Report Confidence:		Confirmed

Consequences:

Gain Access

Remedy:

Refer to the IBM Security Bulletin for patch, upgrade or suggested workaround
information. See References.

References:

IBM Security Bulletin: IBM System Storage DS Storage Manager Profiler SQL
Injection and Cross-Site Scripting Vulnerabilities (CVE-2012-2171,
CVE-2012-2172).
https://www-304.ibm.com/connections/blogs/PSIRT/entry/secbulletin_stg-storage_cve-2012-2171_cve-2012-2172?lang=en_us

ZSL-2012-5094: IBM System Storage DS Storage Manager Profiler Multiple
Vulnerabilities.
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

BID-54112: IBM System Storage Manager Profiler SQL Injection and Cross Site
Scripting Vulnerabilities
http://www.securityfocus.com/bid/54112

CVE-2012-2172: Cross-site scripting (XSS) vulnerability in
SoftwareRegistration.do in the Storage Manager Profiler in IBM System Storage
DS Storage Manager before 10.83.xx.18 on DS Series devices allows remote
attackers to inject arbitrary web script or HTML via the updateRegn parameter.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2172

SA49582: IBM System Storage Products Storage Manager Cross-Site Scripting and
SQL Injection Vulnerabilities
http://secunia.com/advisories/49582

Platforms Affected:

IBM System Storage DCS3700
IBM System Storage DS3200
IBM System Storage DS3300
IBM System Storage DS3400
IBM System Storage DS3512
IBM System Storage DS3524
IBM System Storage DS3950
IBM System Storage DS4100
IBM System Storage DS4200
IBM System Storage DS4300
IBM System Storage DS4400
IBM System Storage DS4500
IBM System Storage DS4700
IBM System Storage DS4800
IBM System Storage DS5020
IBM System Storage DS5100
IBM System Storage DS5300
Reported:

Jun 20, 2012

The information within this database may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall the author/
distributor (IBM Internet Security Systems X-Force) be held liable for any
damages whatsoever arising out of or in connection with the use or spread of
this information.

For corrections or additions please email xforce@iss.net


* According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY. 

The information within this database may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk. In no event shall IBM be held
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information.

About IBM Internet Security Systems
IBM Internet Security Systems is a trusted security advisor to thousands of the
world's leading businesses and governments, helping to provide pre-emptive
protection for networks, desktops and servers. The IBM Proventia integrated
security platform is designed to automatically protect against both known and
unknown threats, helping to keep networks up and running and shield customers
from online attacks before they impact business assets. IBM Internet Security
Systems products and services are based on the proactive security intelligence
of its X-Force research and development team an unequivocal world authority
in vulnerability and threat research. The IBM Internet Security Systems product
line is also complemented by comprehensive Managed Security Services and
Professional Security Services. For more information, visit the IBM Internet
Security Systems Web site at www.iss.net or call 800-776-2362.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT+fILO4yVqjM2NGpAQJH8BAAvd2N36mBBdqOysTQuSPX+dO29juQvpoe
nPSDjKDHIl5MJFutFE75msiAY7+1xqwMTQNXYsgSDlOS+NkY/KKaDkwB+O5rxHj9
5vPbzLyEiFRaYttD0+W1DGtR37Xjlq2GDI3jI8fchZNiaRdnsURA0BGYjI2T09N8
eqoMfKl5aoR7gNyafG+6y8xWfCNeMIVO32VCXBhxtKd4lM3qIbAEcwFj2sAZPPdL
QKH415tqPIK73yFcYggz09lIDVdg4FNZFZBr24OVIysvXz1qXk/sJVgEiSRmNBff
vsA99ghBpraM2waky2DRdf1W22NNjaWMz4utgOTtIT3hYAl95N6eMquN9dQJKZnt
4r1crDGusrXTxDjVHrGEtRsSB3vHpBI+OOC61ueOZG9L1ai6RLCqMYD5SLR3FY6u
4OFyQbPRm6Xb7MA4r3+NcEjusdEkTS9C1AsvVCzLZBpE1U2WVMy5kdRe4F4IGGy0
Iv6Y/zfiH5c11sdBQT9FpeRJW6DNNJM6xFkmr7/KaYa2x6/3h1aG6Ks7GmTiiyws
ZcFxRRvtxcMeOKX5aDdE3ZR7YmIFQpa4sm/f0VNvPT2n8+Y7CDuE1aPFgYBvY1Hm
JWl7ZMvOm2Nx67IorvEjT0A4EhP1fYSHOI9LmAbOFpKjaqLJj/wmCeQc2Xk4edSy
ep63vN1XG4k=
=o4PD
-----END PGP SIGNATURE-----