Security Bulletin
Summary
Unprivileged users may be able to invoke privileged commands via SSH. With the right type of network access to the hardware, a skilled user could figure out a way to craft an SSH command to grant themselves privileged access, allowing the user to issue all administrative commands, with the potential to disrupt normal system operation. This patch fixes a security vulnerability that allows a TSSC service user unauthorized access to the attached TS7700.
Vulnerability Details
CVE ID: CVE-2014-3048
DESCRIPTION:
An unspecified vulnerability in IBM System Storage TS7740 Virtualization Engine could allow an attacker with physical access to obtain root level privileges.
CVSS:
CVSS Base Score: 6.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93434 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)
Affected Products and Versions
IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB), all microcode versions.
Remediation/Fixes
Contact IBM Service at 1-800-IBM-SERV to arrange the application of vtd_exec.195.
Workarounds and Mitigations
Restrict physical access to the TS7700.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
ssg1S1004653