CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
25.7%
The version of IBM Spectrum Protect Client installed on the remote Windows host is affected by an information disclosure vulnerability due to insecure permission for registry keys under the 'HKLM\Software\IBM\ADSM\CurrentVersion\Nodes' key. A local attacker can exploit this vulnerability to disclose credentials.
IBM Spectrum Protect was formerly known as IBM Tivoli Storage Manager in releases prior to version 7.1.3.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(100718);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/03/07");
script_cve_id("CVE-2016-8939");
script_bugtraq_id(98783);
script_name(english:"IBM Spectrum Protect Client Windows Registry Credentials Disclosure");
script_summary(english:"Checks for insecure permissions of registry key for IBM Spectrum Protect Client.");
script_set_attribute(attribute:"synopsis", value:
"A client application installed on the remote host is affected by an
information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of IBM Spectrum Protect Client installed on the remote
Windows host is affected by an information disclosure vulnerability
due to insecure permission for registry keys under the
'HKLM\Software\IBM\ADSM\CurrentVersion\Nodes\' key. A local attacker
can exploit this vulnerability to disclose credentials.
IBM Spectrum Protect was formerly known as IBM Tivoli Storage Manager
in releases prior to version 7.1.3.");
script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22003738");
script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg22000998");
script_set_attribute(attribute:"see_also", value:"https://improsec.com/blog/vulnerability-in-tsm");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory for instructions on remediation.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-8939");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_client");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:ibm:spectrum_protect_client");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tivoli_storage_manager_client_installed.nasl", "ibm_spectrum_protect_installed.nbin", "tivoli_storage_manager_virtual_environments_installed.nbin");
script_require_ports(139, 445, "installed_sw/Tivoli Storage Manager Client", "installed_sw/IBM Spectrum Protect", "installed_sw/Tivoli Storage Manager for Virtual Environments");
exit(0);
}
include("audit.inc");
include("install_func.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
include("lists.inc");
function reg_key_readable_by_users_group(security_descriptor)
{
local_var pdacl, dacl, item, access_rights, sid;
local_var USERS_SID, REG_ACCESS_READ;
USERS_SID = "1-5-32-545";
REG_ACCESS_READ = 0x0020019;
pdacl = security_descriptor[3];
pdacl = parse_pdacl(blob:pdacl);
if (empty_or_null(pdacl))
return NULL;
foreach item (pdacl)
{
dacl = parse_dacl(blob:item);
if (empty_or_null(dacl)) continue;
# SID check
sid = sid2string(sid:dacl[1]);
if (empty_or_null(sid)) continue;
if (sid != USERS_SID) continue;
# Access rights
access_rights = dacl[0];
if (empty_or_null(access_rights)) continue;
if (access_rights == REG_ACCESS_READ)
return TRUE;
}
return FALSE;
}
apps = ["Tivoli Storage Manager Client","IBM Spectrum Protect","Tivoli Storage Manager for Virtual Environments"];
installed = FALSE;
foreach app (apps)
{
if (get_install_count(app_name:app))
{
installed = TRUE;
break;
}
}
if (!installed) audit(AUDIT_NOT_INST, "IBM Spectrum Protect client / agent");
vuln_keys = [];
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
key = "Software\IBM\ADSM\CurrentVersion\Nodes";
subkeys = get_registry_subkeys(handle:hklm, key:key, wow:TRUE);
foreach item (keys(subkeys))
{
foreach subkey (subkeys[item])
{
working_key = item + "\" + subkey;
key_h = RegOpenKey(handle:hklm, key:working_key, mode:MAXIMUM_ALLOWED | ACCESS_SYSTEM_SECURITY);
if(!isnull(key_h))
{
# Make sure 'Password' value exists
if (!isnull(get_registry_value(handle:hklm, item:working_key + "\Password")))
{
# Check if Read permissions are granted to Users group
security_descriptor = RegGetKeySecurity(handle:key_h, type:DACL_SECURITY_INFORMATION);
if (!isnull(security_descriptor))
{
vuln = reg_key_readable_by_users_group(security_descriptor:security_descriptor);
if (vuln) collib::push("HKLM\"+working_key, list:vuln_keys);
}
}
RegCloseKey (handle:key_h);
}
}
}
RegCloseKey (handle:hklm);
NetUseDel();
if (empty_or_null(vuln_keys))
exit(0, "The install of IBM Spectrum Protect client / agent is not using a vulnerable configuration.");
wording = NULL;
if (max_index(vuln_keys) == 1)
wording = "key is";
else
wording = "keys are";
report =
'\n The following registry '+wording+' vulnerable :' +
'\n' +
'\n - ' + join(vuln_keys, sep:'\n - ') +
'\n';
security_report_v4(port:kb_smb_transport(), extra:report, severity:SECURITY_NOTE);
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
25.7%