CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
83.2%
The version of IBM Tivoli Storage Manager (TSM) for Virtual Environments installed on the remote host is 6.3.x prior to 6.3.2.5, 6.4.x prior to 6.4.3.1, or 7.1.x prior to 7.1.4.0. It is, therefore, affected by multiple vulnerabilities :
An unspecified flaw exists in the user interface that allows an unauthenticated, remote attacker to perform backup and restore operations and to execute TSM administrative commands. (CVE-2015-7425)
A privilege escalation vulnerability exists in the IBM Data Protection Extension. An authenticated, remote attacker can exploit this to select an existing virtual machine from the vSphere inventory and perform a restore operation even though the attacker does not have the privilege level required for the operation. The restore operation will not overwrite the existing virtual machine but instead will create a new virtual machine with the same data as the existing virtual machine.
After the restore creates the new virtual machine, the attacker can then access its unencrypted data, regardless of access permissions to the existing virtual machine data. Note that this issue only applies to version 7.1.x prior to 7.1.4. (CVE-2015-7429)
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(87823);
script_version("1.11");
script_cvs_date("Date: 2018/08/01 17:36:12");
script_cve_id("CVE-2015-7425", "CVE-2015-7429");
script_bugtraq_id(79541, 79545);
script_name(english:"IBM TSM for Virtual Environments 6.3.x < 6.3.2.5 / 6.4.x < 6.4.3.1 / 7.1.x < 7.1.4.0 RCE");
script_summary(english:"Checks the version of TSM for Virtual Environments.");
script_set_attribute(attribute:"synopsis", value:
"A backup application installed on the remote host is affected by a
remote command execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of IBM Tivoli Storage Manager (TSM) for Virtual
Environments installed on the remote host is 6.3.x prior to 6.3.2.5,
6.4.x prior to 6.4.3.1, or 7.1.x prior to 7.1.4.0. It is, therefore,
affected by multiple vulnerabilities :
- An unspecified flaw exists in the user interface that
allows an unauthenticated, remote attacker to perform
backup and restore operations and to execute TSM
administrative commands. (CVE-2015-7425)
- A privilege escalation vulnerability exists in the IBM
Data Protection Extension. An authenticated, remote
attacker can exploit this to select an existing virtual
machine from the vSphere inventory and perform a restore
operation even though the attacker does not have the
privilege level required for the operation. The restore
operation will not overwrite the existing virtual
machine but instead will create a new virtual machine
with the same data as the existing virtual machine.
After the restore creates the new virtual machine, the
attacker can then access its unencrypted data,
regardless of access permissions to the existing virtual
machine data. Note that this issue only applies to
version 7.1.x prior to 7.1.4. (CVE-2015-7429)");
script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21973086");
script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21973087");
script_set_attribute(attribute:"solution", value:
"Upgrade to Tivoli Storage Manager for Virtual Environments version
6.3.2.5 / 6.4.3.1 / 7.1.4.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/11");
script_set_attribute(attribute:"patch_publication_date", value:"2015/12/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_for_virtual_environments");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments_data_protection_for_vmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
script_dependencies(
"tivoli_storage_manager_virtual_environments_installed.nbin",
"tivoli_storage_manager_virtual_environments_installed_linux.nbin"
);
script_require_keys("installed_sw/Tivoli Storage Manager for Virtual Environments");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
app = 'Tivoli Storage Manager for Virtual Environments';
get_install_count(app_name:app, exit_if_zero:TRUE);
install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
version = install["version"];
path = install["path"];
hypervisor = install["Hypervisor"];
app += " for " + hypervisor;
if (hypervisor != "VMware")
audit(AUDIT_INST_VER_NOT_VULN, app, version);
if (version =~ "^6\.3\.")
fix = "6.3.2.5";
else if (version =~ "^6\.4\.")
fix = "6.4.3.1";
else if (version =~ "^7\.1\.")
fix = "7.1.4.0";
else
audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);
if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);
# Differentiate Linux vs Windows
if (get_kb_item("SMB/Registry/Enumerated"))
port = get_kb_item("SMB/transport");
else
port = 0;
if (report_verbosity > 0)
{
report =
'\n Hypervisor : ' + hypervisor +
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix + '\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
83.2%