Multiple IBM Products CVE-2014-0880 Security Bypass Vulnerability

Description

Multiple IBM Products are prone to a security bypass vulnerability. Attackers can exploit this issue to bypass security restrictions to perform unauthorized actions; this may aid in launching further attacks. The following products are vulnerable: IBM SAN Volume Controller 6.3, 6.4, 7.1, and 7.2 IBM Storwize V7000 6.4, 7.1, and 7.2 IBM Storwize V5000 7.1, and 7.2 IBM Storwize V3700 6.4, 7.1, and 7.2 IBM Storwize V3500 6.4, 7.1, and 7.2 IBM Flex System V7000 6.4, 7.1, and 7.2

Technologies Affected

• IBM Flex System V7000 6.4
• IBM Flex System V7000 7.1
• IBM Flex System V7000 7.2
• IBM SAN Volume Controller 6.3
• IBM SAN Volume Controller 6.4
• IBM SAN Volume Controller 7.1
• IBM SAN Volume Controller 7.2
• IBM Storwize V3500 6.4
• IBM Storwize V3500 7.1
• IBM Storwize V3500 7.2
• IBM Storwize V3700 6.4
• IBM Storwize V3700 7.1
• IBM Storwize V3700 7.2
• IBM Storwize V5000 6.4
• IBM Storwize V5000 7.1
• IBM Storwize V5000 7.2
• IBM Storwize V7000 6.4
• IBM Storwize V7000 7.1
• IBM Storwize V7000 7.2

Recommendations

Block external access at the network boundary, unless external parties require service.
Filter access to the affected computer at the network boundary if global access isn’t needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.

Updates are available. Please see the references or vendor advisory for more information.