IBM Support

Security Bulletin: Privilege Escalation Vulnerability in the FlashCopy Manager for VMware GUI (CVE-2013-6714)

Security Bulletin


Summary

In customer environments that utilize VMware restricted users, users of the Tivoli Storage FlashCopy Manager: FlashCopy Manager for VMware GUI can back up and restore VMs that they are not authorized to access.

Vulnerability Details


CVE ID: CVE-2013-6714

DESCRIPTION:

In customer environments that utilize VMware restricted users, users of the Tivoli Storage FlashCopy Manager: FlashCopy Manager for VMware GUI can back up and restore VMs that they are not authorized to access, enabling them to perform the following actions, regardless of their specific VMware level of authorization:

  • access all data within the VMs that have been previously backed up and also back up and access data that has not previously been backed up
  • spawn multiple restores which could exhaust VMware storage
  • overwrite production VM data with backup data



CVSS:

CVSS Base Score: 4.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89057
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)

Affected Products and Versions

Only the FlashCopy Manager for VMware component of the following product and release levels is affected:

  • Tivoli Storage FlashCopy Manager 3.1, 3.2, and 4.1

Remediation/Fixes

The recommended solution is to apply the fix associated with the release of the product used in your environment.

Product: ComponentVMRF of First FixRemediation / Link to First Fix
Tivoli Storage FlashCopy Manager: FlashCopy Manager for VMware 4.1.0.14.1.0.1-TIV-TSFCMFTP-VMware.bin available at:

ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v4r1/vmware/
Tivoli Storage FlashCopy Manager: FlashCopy Manager for VMware3.2.0.4Note that 3.2.0.4 is no longer available for download. You can download 3.2.0.9 to obtain the fix:
ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/vmware/
Tivoli Storage FlashCopy Manager: FlashCopy Manager for VMware3.1.1.1Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

23 May 2014: Original copy published
13 April 2018 - Fix download information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"FlashCopy Manager for VMware","Platform":[{"code":"PF016","label":"Linux"}],"Version":"3.1;3.2;4.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21673045