IBM Support

Security Bulletin: Confidential data exposure when restoring Microsoft Exchange mailboxes which have the same alias defined CVE-2015-4950

Security Bulletin


Summary

In environments with duplicated mailbox aliases, FlashCopy Manager for Microsoft Exchange, Data Protection for Microsoft Exchange, and FastBack for Microsoft Exchange may open and restore the wrong mailbox.

Vulnerability Details


CVEID: CVE-2015-4950
DESCRIPTION:
IBM Tivoli Storage FlashCopy Manager, Tivoli Storage Manager for Mail, and Tivoli Storage Manager FastBack for Microsoft Exchange could allow a local user with elevated privileges to obtain sensitive information by manipulating mailbox names that share the same alias.

For example:

Mailbox Display Name Alias
mailbox1 sales
mailbox2 sales

When two mailboxes have the same alias, users may encounter the following problems when using affected software:

  • the Mailbox Restore Browser interface may populate mailboxes with the folders and messages from a different mailbox than the one intended
  • restoring a mailbox via the CLI interface, using the alias instead of the mailbox display name, may restore a different mailbox than the one intended
  • the mailbox history may not correctly represent the mailboxes that share the same alias

In the case of the product, Tivoli Storage Manager Fastback for Microsoft Exchange, the software may also open the wrong mailbox when using the "Open Mailbox" function. Subsequently, folders and messages could be restored to that incorrect mailbox.

CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104954 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions


Tivoli Storage FlashCopy Manager for Microsoft Exchange Server 2.1, 2.2, 3.1, 3.2, and 4.1
Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 6.1, 6.3, 6.4, and 7.1
Tivoli Storage Manager Fastback for Microsoft Exchange 6.1

Remediation/Fixes


Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Server

Affected V.RFixing VRMFAPARRemediation/First Fix
4.14.1.1IT04251Note that 4.1.1 is no longer available for download. You can download 4.1.4 or higher to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/maintenance/v4r1/windows/v414/
3.23.2.1.7IT04251Note that 3.2.1.7 is no longer available for download. You can download 3.2.1.9 to obtain the fix:
ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/windows/v321/

However, this product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.4.x as the FlashCopy Manager for Microsoft Exchange 3.2.x component. Therefore, you may install and use the 6.4.1.4 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
3.1NoneIT04251This product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.3.x as the FlashCopy Manager for Microsoft Exchange 3.1.x component. Therefore, you may install and use the 6.3.1.3 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
2.2NoneIT04251This product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.1.x as the FlashCopy Manager for Microsoft Exchange 2.2.x component. Therefore, you may install and use the 6.1.3.6 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.
2.1NoneIT04251This release of the product is end of support and is not eligible for support extensions. Therefore, no fix is planned. IBM recommends upgrading to a fixed, supported version/release/platform of the product.

However, this product bundles Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange 6.1.x as the FlashCopy Manager for Microsoft Exchange 2.1.x component. Therefore, you may install and use the 6.1.3.6 fix from the table below to resolve this vulnerability for the FlashCopy Manager for Microsoft Exchange software.


Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server
Affected V.RFixing VRMFAPARRemediation/First Fix
7.17.1.0.2IT04251Download packages for Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1.0 interim fix packages (7.1.0.x) and READMEs have been removed from the web as they contain unremediated security vulnerabilities. The latest version of 7.1 (7.1.6) contains fixes for the most recent known security and product issues, and can be found using this link:
http://www.ibm.com/support/docview.wss?uid=swg24042166
If you have any questions, please contact IBM support.
6.46.4.1.4IT04251Note that 6.4.1.4 is no longer available for download. You can download 6.4.1.9 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v641/windows/
6.36.3.1.3IT04251Note that 6.3.1.3 is no longer available for download. You can download 6.3.1.6 to obtain the fix:ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v631/windows/
6.16.1.3.6IT04251ftp://public.dhe.ibm.com/storage/tivoli-storage-management/patches/tivoli-data-protection/ntexch/v613/x64/


Tivoli Storage Manager FastBack for Microsoft Exchange
Affected V.RFixing VRMFAPARRemediation/First Fix
6.16.1.5.4IT04252http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Storage+Manager+FastBack+for+Microsoft+Exchange&release=6.1.5.3&platform=Windows&function=all

Workarounds and Mitigations


For the products:
- Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange
- Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange

two workarounds exist for this problem:
1) Use the CLI interface to restore the mailbox by specifying mailbox GUID or display name instead of the alias.
2) Use the Microsoft Exchange Management Console or Powershell commands to rename the duplicated mailbox alias to a unique value

For the product:
- Tivoli Storage Manager FastBack for Microsoft Exchange

three workarounds exist for this problem:
1)) Open a PST file and restore messages to the PST file. Then, import the PST file contents into the mailbox.
2) Restore messages using the "SMTP Restore" option
3) Use the Microsoft Exchange Management Console or Powershell commands to rename the duplicated mailbox alias to a unique value.

Get Notified about Future Security Bulletins

References

Off

Change History

13 April 2018 - Fix download links
13 January 2017: Fixed link to Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1.0.2 interim fix.
02 September 2015: Revised 3.2.1.7 fix row to indicate that this fix is now available.
10 August 2015: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSTG2D","label":"Tivoli Storage Manager for Mail"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Data Protection for MS Exchange","Platform":[{"code":"PF033","label":"Windows"}],"Version":"6.1;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS9NW2","label":"Tivoli Storage Manager FastBack for Microsoft Exchange"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS36V9","label":"Tivoli Storage FlashCopy Manager"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"FlashCopy Manager for Microsoft Exchange","Platform":[{"code":"PF033","label":"Windows"}],"Version":"2.1;2.2;3.1;3.2;4.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21963629