-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2750
 Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli
           Monitoring for Tivoli Storage Manager (CVE-2015-4927)
                              3 November 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Storage Manager
Publisher:         IBM
Operating System:  AIX
                   Linux variants
Impact/Access:     Root Compromise -- Console/Physical
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-4927  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21969340

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli 
Monitoring for Tivoli Storage Manager (CVE-2015-4927)

Security Bulletin

Summary

Weak file permissions exist on several files after the installation of Tivoli
Storage Manager Reporting and Monitoring in a Linux or AIX environment. This 
has the potential of privilege escalation by an attacker.

Vulnerability Details

CVEID: CVE-2015-4927

DESCRIPTION: The installation of Tivoli Storage Manager Reporting & Monitoring
leaves world-writable files with root ownership on the system for Unix and 
Linux versions. There is the potential of privilege escalation by an attacker
making use of these files.

CVSS Base Score: 7.2

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104087 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting and Monitoring) 
7.1, 6.3, 6.2, and 6.1 versions are affected by this vulnerability.

Remediation/Fixes

If the IBM Tivoli Monitoring for Tivoli Storage Manager product is already 
installed, please use the instructions provided in the Workarounds and 
Mitigations section.

Tivoli Storage Monitoring for 	First Fixing VRMF Level 	Client Platform 	Link to Fix / Fix Availability Target
Tivoli Storage Manager Version 
(Reporting and Monitoring) 

7.1 				7.1.3 				AIX			ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/reporting/v7r1/7.1.3.000/
								Linux 


6.3 				6.3.6 				AIX			This fix is targeted for availability on November 3, 2015.
								Linux 

NOTES:

The Windows platform is not affected by this security issue.

Extended support customers using IBM Tivoli Monitoring versions 6.2 or 6.1 for
Tivoli Storage Manager can use the instructions provided in the Workaround and
Mitigations section.

Workarounds and Mitigations

After installation of IBM Tivoli Monitoring for Tivoli Storage Manager 
Reporting and Monitoring feature, the secureMain command should be run to set
your required security levels for the installed directories.

To update the permission levels on the installed directories, you need to run
the secureMain command.

Syntax

<install_dir>/bin/secureMain [-h install_dir] [-g common_group] [-t type_code]
lock

<install_dir>/bin/secureMain [-h install_dir] [-g common_group] unlock

Parameters

install_dir - is the directory path for the IBM Tivoli Monitoring 
installation. If this parameter is not supplied, the script attempts to 
determine the location of the installation directory.

For example: /opt/tivoli/tsm/reporting/itm

common_group - is a group ID common to all of the user IDs that are used to 
run components in this installation. The user ID that is used to run the 
installation must also be a member of the group ID specified. The only 
exception is the root ID, which is not required to be a member of the group ID
specified.

type_code - is a component code that belongs to an installed component. You 
can specify multiple -t options to create a list of component codes to be 
processed.

Notes

If the secureMain command is started with no parameters, the usage text is 
displayed.

The lock parameter is used to set more restrictive permissions in an IBM 
Tivoli Monitoring installation. It must be run after you install or configure
components.

When the secureMain command with the lock parameter is run with no other 
parameters, the permissions are set to execute permissions (755) for most 
directories. However, world write permissions (777) are set on a number of 
directories. When certain components that are commonly run by using multiple 
user IDs are present in the installation, many more files have world write 
permissions set.

When the secureMain command is run with the lock and -g common_group 
parameters set, the permissions are set to execute permissions and the 
directories have their group owner changed to the common_group specified. No 
directories are left with world write permissions. Even when components that 
are commonly run by using multiple user IDs are present in the installation, 
no files are set to world write permissions. Additionally, the common_group 
value is written to a file and is used for all future invocations of 
secureMain command with the lock parameter in the same installation, unless 
the -g common_group parameter is specified and the common_group is different 
from the previous value.

When the secureMain command is run with the lock and -t type_code parameters 
set, sections of the installation might be skipped when you set permissions to
execute permission. Common directories, like bin, config, registry, and logs 
are always processed. Only directories specific to the specified type_code 
components are processed. The other component directory trees are skipped.

You can run the secureMain command with the unlock parameter to set less 
strict permissions in an IBM Tivoli Monitoring installation.

Running the secureMain command with the unlock parameter is normally not 
necessary, but can be run if required. You must run the command before you 
install or configure components.

When the secureMain command is run with the unlock parameter does not return 
the installation to the permission state that it was in before you ran the 
secureMain command with the lock parameter. It processes only the common 
directories, like bin, config, registry, and logs.

Example

The following example locks the installation by using the common group 
itmgroup:

secureMain -g itmgroup lock

The following example locks the base and mq component directories by using the
common group itmgroup:

secureMain -g itmgroup -t mq lock

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

References

Complete CVSS v2 Guide

On-line Calculator v2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

2015 October 27 - Initially published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVjg3BH6ZAP0PgtI9AQIBERAAvrTceuIMEMyrvoGu6TvUcFp5Brorw6GX
ukzPYEfCP65qwBBfBxitwIdL3kxZccZtAXAEJQ4SxkQOOlKO0+QZUufEvB/wq1rC
BFlmA2iNSFVGmy5B+CnvUjQsJiCDuSclyciwFaIh8n8Smvpmji7qm4RnrJtDKV1x
HUhyBVhXtgMB21opZvzQEIpOFHLrT0CNWrsGcrDe3TZQGhrd61rvMWpSANAxP9pm
KAXbv1gE0Qy6GQK+Khk9mMRok3nOM2TJ7RlmuyIJapiXD4Axonna8ahJNvaPqp8a
US+Z8dF+Ttz9nF9Kh8wfkXj1d2yZKXDKrmTSxqM35gy9umA4FYv3OTT1lUOyG+Kx
5mJiIHInrud/hBiq7akH5r1Fh35mjkQaV16boz8XWTJvqDSLUM86WU6doHV62O+C
z+6nG8rlSnW+HrS5uvmA14OThteKkOfKNKmrN2zMMbWEU6w0gE274ASOySXS+fFr
TtBOBPnh8vM00hDe8sA8bUu+coduHu8q/p0m2dH7kmOhORyR81ui2xhAwrFJMNu7
En0kmHEy3LPoj+d4lDR5te+DFJrsqawaKPSyoX7kvPrW6RpWZY+lIjmNjDAbTFuS
3XyH/xgvHDyx4NZkLt12x7JUXHu3hOqVsepHYnJ9WpgdBE5vAnjIC+1hlsnv+UB0
L/Or0WtHxHA=
=nG7A
-----END PGP SIGNATURE-----