Security Bulletin: Privilege Escalation Vulnerability in the Data Protection for VMware GUI (CVE-2013-6713)

Summary

In customer environments that utilize VMware restricted users, users of the Tivoli Storage Manager for Virtual Environments: Data Protection for VMware GUI can back up and restore VMs that they are not authorized to access.

Vulnerability Details

CVE ID: CVE-2013-6713

DESCRIPTION:

In customer environments that utilize VMware restricted users, users of the Tivoli Storage Manager for Virtual Environments: Data Protection for VMware GUI can back up and restore VMs that they are not authorized to access, enabling them to perform the following actions, regardless of their specific VMware level of authorization:

• access all data within the VMs that have been previously backed up and also back up and access data that has not previously been backed up
• spawn multiple restores which could exhaust VMware storage

CVSS:

CVSS Base Score: 4.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/89055&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:M/Au:S/C:P/I:P/A:P)

Affected Products and Versions

Only the Data Protection for VMware component of the following product and release levels is affected:

• Tivoli Storage Manager for Virtual Environments 6.3, 6.4, and 7.1

Remediation/Fixes

The recommended solution is to apply the fix associated with the release of the product used in your environment.

| Windows
Linux| http://www.ibm.com/support/docview.wss?uid=swg24039356
Tivoli Storage Manager for Virtual Environments: Data Protection for VMware| 6.3.2.1| Windows
Linux| http://www.ibm.com/support/docview.wss?uid=swg24037601

Workarounds and Mitigations

None