For one reason or another, companies often choose to fix serious security gaps in silence. That’s exactly what happened with IBM just recently when they released a workaround quietly, addressing a flaw in its enterprise backup software.
The vulnerability, given the CVE-2016-8939 identifier, has been known to IBM since September 2016 when another researcher, Kestutis Gudinavicius, unearthed it for the first time. However, Jakob Heidelberg, pen tester and founder of security firm Improsec also came across the flaw just recently and contacted IBM.
“This is a really bad vulnerability that’s both easy to exploit and easy to fix,” the researcher said adding that “there is no excuse why IBM would leave this type of vulnerability open for so long.”
More about CVE-2016-8939
The vulnerability is associated with IBM Tivoli Storage Manager (TSM) client, now known as Spectrum Protect. The flaw allows local escalation of privileges and sensitive data access – all documents, folders, emails and even usernames and passwords tied to the locally hosted TSM service could be compromised, the researcher said.
As the story goes, Heidelberg together with his colleague Flemming Riis found the flaw in February this year. “We couldn’t believe our own eyes when we, in very little time, found a pretty important – and incredibly trivial – security vulnerability in the TSM product,” Heidelberg said.
The two researchers immediately notified IBM only to find out that the company had already discovered it in September 2016 when another researcher reported it. Heidelberg highlighted the fact that IBM finally issued a security bulletin but only after he told them he planned to publish his research. Two days after the company officially released a workaround fix the researcher published his research.
Apart from unauthorized access to files (documents, spreadsheets, configuration files etc.), the attacker could, for example, gain access to everything from the SAM database (password hashes) to sensitive registry-values, and potentially clear text passwords for service accounts.
A malicious insider is an obvious threat in regards to this vulnerability, giving the attacker the possibility of Information Disclosure, Privilege Escalation and Credential Theft.
This is what Heidelberg and the previous researcher, Kestutis Gudinavicius, both found. A local user with limited permissions to access a server that provides remote app and desktop access could obtain access to all files and system information stored on the IBM TSM backup. The vulnerability is that serious.
Affected versions of IBM Spectrum Protect Windows Client a.k.a. Tivoli Storage Manager are all levels of 8.1, 7.1, 6.4, plus 6.3 and earlier.
Mitigations against CVE-2016-8939 IBM TSM Vulnerability
The researcher recommends that all users of the IBM TSM product should immediately:
- Implement the workaround on all relevant systems (primarily servers with TSM backup client installed);
- Limit network access to TSM servers, so only relevant systems (the ones that need backup and restore) can communicate with the TSM backend servers (standard TCP 1500).
An official patch is expected in either the third or fourth quarter of 2017, IBM told the researcher.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: