-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.1215
       Two unauthorized access vulnerabilities in IBM TSM for Space
               Management (CVE-2012-4859 and CVE-2012-5954)
                             20 December 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Storage Manager
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   HP Itanium
                   Linux variants
                   Solaris
Impact/Access:     Access Privileged Data -- Existing Account
                   Modify Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-5954 CVE-2012-4859 

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21615292

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Two unauthorized access vulnerabilities in IBM TSM for Space 
Management (CVE-2012-4859 and CVE-2012-5954).

Flash (Alert)

Document information

Tivoli Storage Manager for Space Management

Software version:
5.4, 5.5, 6.1, 6.2, 6.3

Operating system(s):
AIX, HP Itanium, HP-UX, Linux/x86, Solaris

Reference #:
1615292

Modified date:
2012-12-19

Abstract

Unauthorized access vulnerabilities exist in IBM Tivoli Storage Manager (TSM) 
for Space Management (HSM)

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2012-4859
Description: A local unauthorized malicious user can access and manipulate all 
file system objects on affected systems. Internal APAR IC87006 was opened for 
this vulnerability.

Using the Common Vulnerability Scoring System (CVSS) v2, the security rating
for this issue is:
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79843 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2012-5954
Description: A remote unauthorized malicious user can access and manipulate 
all file system objects managed by TSM HSM on affected systems. Other file 
system objects cannot be accessed by the user on those systems. Internal APAR 
IC86724 was opened for this vulnerability.

Using the Common Vulnerability Scoring System (CVSS) v2, the security rating 
for this issue is:
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80668 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:

IBM Tivoli Storage Manager for Space Management supported versions 5.5 through 
6.3, and unsupported versions prior to 5.5. HSM 6.4 is unaffected.

REMEDIATION:

Apply the fixing versions of HSM when available (see table below), and use the 
Mitigation until the fixes can be applied. Customers using HSM versions prior 
to 6.2 must upgrade to the newer fixed versions of HSM, or use the mitigation 
below.

With the fixes or mitigation, execution of the following HSM commands by non-
root users will no longer be possible:

    dsmdf
    dsmdu
    dsmls
    dsmmigfs
    dsmmigrate
    dsmrecall 

HSM Release	HSM Vulnerable Levels		Fixing HSM Level
6.3		6.3.0.0 through 6.3.0.17	6.3.1.0
6.2		6.2.0.0 through 6.2.4.4		6.2.5.0
						Target availability: April 2, 
						2013
6.1		all				Upgrade to fixing 6.3 client, 
						or 6.4, or use Mitigation
5.5		all				Upgrade to fixing 6.3 client, 
						or 6.4, or use Mitigation
prior 		all				Upgrade to fixing 6.3 client,
unsupported 					or 6.4, or use Mitigation
releases		
 
Note: HSM 6.4 is unaffected, and does not allow the execution of HSM commands 
by non-root users.

MITIGATION:

The non-root support provided by the dsmrootd binary must be disabled in order 
to mitigate these vulnerabilities. As a result, execution of the HSM commands 
listed under the Remediation section by non-root users will no longer be 
possible with this mitigation.

The following procedures must be executed as root user.

AIX and Linux platforms with HSM managed GPFS

On machines where HSM is installed to manage GPFS, the dsmrootd must be 
replaced.

1. Disable failover
Invoke the command
dsmmigfs disablefailover

2. Stop the dsmrootd process
Invoke the command
kill -SIGTERM <dsmrootd_pid>
Replace <dsmrootd_pid> with the process id of the dsmrootd

3. Delete the dsmrootd file
On AIX this file is located in /usr/tivoli/tsm/client/hsm/bin on Linux this 
file is located in /opt/tivoli/tsm/client/hsm/bin.

4. Replace the dsmrootd file with a shell script named dsmrootd.
The script has the following content:

#!/bin/sh
exit_with_grace()
{
exit 0
}
if [ "x$1" != "x--" ]; then
$0 -- 1> /dev/null 2> /dev/null &
exit 0
fi
trap "exit_with_grace" USR1 TERM QUIT
while true; do
sleep 5;
done

The script must be owned by the root user and the execution permission must be 
set for the root user. To achieve this invoke the following commands:

chmod u+x /<path>/tivoli/tsm/client/hsm/bin/dsmrootd
chown root /<path>/tivoli/tsm/client/hsm/bin/dsmrootd
replace here <path> with either opt or usr.
On AIX for example execute
chmod u+x /usr/tivoli/tsm/client/hsm/bin/dsmrootd
chown root /usr/tivoli/tsm/client/hsm/bin/dsmrootd

5. Enable failover
Invoke the command
dsmmigfs enablefailover

Other platforms

On machines where JFS2 or VxFS file systems are HSM managed the dsmrootd 
binary must be removed.

1. Stop the dsmrootd process
Invoke the command
kill -SIGTERM <dsmrootd_pid>
Replace <dsmrootd_pid> with the process id of the dsmrootd

2. Remove the dsmrootd file.
On AIX JFS2 this file is located in /usr/tivoli/tsm/client/hsm/bin, on HP-UX 
and Solaris Sparc this file is located in /opt/tivoli/tsm/client/hsm/bin.

OPTIONAL ACTIONS:

All platforms
In order to prevent the commands listed in the Remediation section from hanging 
when non-root users try to execute them, remove the execution permission bit 
for others (o) from the corresponding files located in 
/usr/tivoli/tsm/client/hsm/bin in case of AIX or in 
/opt/tivoli/tsm/client/hsm/bin for other platforms.

The execution permission is removed with the following command:

chmod o-x /<path>/tivoli/tsm/client/hsm/bin/<file_name>
replace here <path> with the appropriate path and <file_name> with either one 
commands listed above or simply specify asterisk "*" for all files.
For example on Linux execute either
chmod o-x /opt/tivoli/tsm/client/hsm/bin/dsmdf
or
chmod o-x /opt/tivoli/tsm/client/hsm/bin/*

These vulnerabilities were found internally by IBM.

REFERENCES:

    Complete CVSS Guide
    On-line Calculator V2
    CVE-2012-4859
    CVE-2012-5954
    X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/79843
    X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/80668

CHANGE HISTORY:

18 December 2012: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact 
of this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and 
service names might be trademarks of IBM or other companies. A current list 
of IBM trademarks is available on the Web at "Copyright and trademark 
information" at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUNK8be4yVqjM2NGpAQL0bBAAiNPcs7HFgcdQ+aBPT0VP7V3mUSZFfeu0
zFXqk/CMWY8ZMp34fP4xs+gH4YG9V96f2aIIUnhQ28cYdNrdV1C10hEnueK1ogBo
iA2DgI7U5rgTQllY5Ih6SX1Qa1Wlg1MDntMSPEqvjZosP17lOcBigQFnLjMbCOI8
vB/7Sjb9onaPjTNDkEv6O3ijm8dHRtrfrmQ2JRmkFMH2HJdp/8cWi3aZWFr3aF33
QPZuN3KfAcKlx2GLseqLLtxbnA+8YH5lpS0T70+iGnuHO84lTcvkysiOQS8ao95j
G/as3jbkZI/ZimN4NcsSMoIrjyJ+mBmtldy+4jmFKUgwZg/LNpkdbjujqNrSRvaa
mzc+2BgdvT+pwGlOZBzywx8HeBbbQUT4et8tvHjyJ0l76s+zXufBjWuj6J3+8IOr
jpZu/Xhr2jP+stM9Burk2WhMhJFClDEFN7/oSEpgOr5yxk4rFfazi7crqAMoFcG7
K3w0wMwXphYOTaNsxFXPJ3SqSteeQALZUxZq0Uricl9w5p2KUIM95ky5AvRqkslX
/SPzowBAt5zXKkMwFwkf8A1z1nW14vME28oD1BfpBwYJznMTXEj16/gxPf17l/kc
S6S07cA+Z6eEjFk9Xlra8NebQEsbmZkjN30a48iskBtJfJiW0wJgYy2Uu5TP0UIY
tok4ZMx8DDc=
=F7P2
-----END PGP SIGNATURE-----