Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2750 Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-4927) 3 November 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Tivoli Storage Manager Publisher: IBM Operating System: AIX Linux variants Impact/Access: Root Compromise -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2015-4927 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21969340 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-4927) Security Bulletin Summary Weak file permissions exist on several files after the installation of Tivoli Storage Manager Reporting and Monitoring in a Linux or AIX environment. This has the potential of privilege escalation by an attacker. Vulnerability Details CVEID: CVE-2015-4927 DESCRIPTION: The installation of Tivoli Storage Manager Reporting & Monitoring leaves world-writable files with root ownership on the system for Unix and Linux versions. There is the potential of privilege escalation by an attacker making use of these files. CVSS Base Score: 7.2 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104087 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C) Affected Products and Versions IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting and Monitoring) 7.1, 6.3, 6.2, and 6.1 versions are affected by this vulnerability. Remediation/Fixes If the IBM Tivoli Monitoring for Tivoli Storage Manager product is already installed, please use the instructions provided in the Workarounds and Mitigations section. Tivoli Storage Monitoring for First Fixing VRMF Level Client Platform Link to Fix / Fix Availability Target Tivoli Storage Manager Version (Reporting and Monitoring) 7.1 7.1.3 AIX ftp://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/reporting/v7r1/7.1.3.000/ Linux 6.3 6.3.6 AIX This fix is targeted for availability on November 3, 2015. Linux NOTES: The Windows platform is not affected by this security issue. Extended support customers using IBM Tivoli Monitoring versions 6.2 or 6.1 for Tivoli Storage Manager can use the instructions provided in the Workaround and Mitigations section. Workarounds and Mitigations After installation of IBM Tivoli Monitoring for Tivoli Storage Manager Reporting and Monitoring feature, the secureMain command should be run to set your required security levels for the installed directories. To update the permission levels on the installed directories, you need to run the secureMain command. Syntax <install_dir>/bin/secureMain [-h install_dir] [-g common_group] [-t type_code] lock <install_dir>/bin/secureMain [-h install_dir] [-g common_group] unlock Parameters install_dir - is the directory path for the IBM Tivoli Monitoring installation. If this parameter is not supplied, the script attempts to determine the location of the installation directory. For example: /opt/tivoli/tsm/reporting/itm common_group - is a group ID common to all of the user IDs that are used to run components in this installation. The user ID that is used to run the installation must also be a member of the group ID specified. The only exception is the root ID, which is not required to be a member of the group ID specified. type_code - is a component code that belongs to an installed component. You can specify multiple -t options to create a list of component codes to be processed. Notes If the secureMain command is started with no parameters, the usage text is displayed. The lock parameter is used to set more restrictive permissions in an IBM Tivoli Monitoring installation. It must be run after you install or configure components. When the secureMain command with the lock parameter is run with no other parameters, the permissions are set to execute permissions (755) for most directories. However, world write permissions (777) are set on a number of directories. When certain components that are commonly run by using multiple user IDs are present in the installation, many more files have world write permissions set. When the secureMain command is run with the lock and -g common_group parameters set, the permissions are set to execute permissions and the directories have their group owner changed to the common_group specified. No directories are left with world write permissions. Even when components that are commonly run by using multiple user IDs are present in the installation, no files are set to world write permissions. Additionally, the common_group value is written to a file and is used for all future invocations of secureMain command with the lock parameter in the same installation, unless the -g common_group parameter is specified and the common_group is different from the previous value. When the secureMain command is run with the lock and -t type_code parameters set, sections of the installation might be skipped when you set permissions to execute permission. Common directories, like bin, config, registry, and logs are always processed. Only directories specific to the specified type_code components are processed. The other component directory trees are skipped. You can run the secureMain command with the unlock parameter to set less strict permissions in an IBM Tivoli Monitoring installation. Running the secureMain command with the unlock parameter is normally not necessary, but can be run if required. You must run the command before you install or configure components. When the secureMain command is run with the unlock parameter does not return the installation to the permission state that it was in before you ran the secureMain command with the lock parameter. It processes only the common directories, like bin, config, registry, and logs. Example The following example locks the installation by using the common group itmgroup: secureMain -g itmgroup lock The following example locks the base and mq component directories by using the common group itmgroup: secureMain -g itmgroup -t mq lock Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v2 Guide On-line Calculator v2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 2015 October 27 - Initially published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVjg3BH6ZAP0PgtI9AQIBERAAvrTceuIMEMyrvoGu6TvUcFp5Brorw6GX ukzPYEfCP65qwBBfBxitwIdL3kxZccZtAXAEJQ4SxkQOOlKO0+QZUufEvB/wq1rC BFlmA2iNSFVGmy5B+CnvUjQsJiCDuSclyciwFaIh8n8Smvpmji7qm4RnrJtDKV1x HUhyBVhXtgMB21opZvzQEIpOFHLrT0CNWrsGcrDe3TZQGhrd61rvMWpSANAxP9pm KAXbv1gE0Qy6GQK+Khk9mMRok3nOM2TJ7RlmuyIJapiXD4Axonna8ahJNvaPqp8a US+Z8dF+Ttz9nF9Kh8wfkXj1d2yZKXDKrmTSxqM35gy9umA4FYv3OTT1lUOyG+Kx 5mJiIHInrud/hBiq7akH5r1Fh35mjkQaV16boz8XWTJvqDSLUM86WU6doHV62O+C z+6nG8rlSnW+HrS5uvmA14OThteKkOfKNKmrN2zMMbWEU6w0gE274ASOySXS+fFr TtBOBPnh8vM00hDe8sA8bUu+coduHu8q/p0m2dH7kmOhORyR81ui2xhAwrFJMNu7 En0kmHEy3LPoj+d4lDR5te+DFJrsqawaKPSyoX7kvPrW6RpWZY+lIjmNjDAbTFuS 3XyH/xgvHDyx4NZkLt12x7JUXHu3hOqVsepHYnJ9WpgdBE5vAnjIC+1hlsnv+UB0 L/Or0WtHxHA= =nG7A -----END PGP SIGNATURE-----