Vigil@nce - IBM TSM Data Protection: information disclosure via changetsmpassword
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can read logs of IBM TSM Data Protection, in
order to obtain sensitive information.
Impacted products: Tivoli Storage Manager.
Severity: 2/4.
Creation date: 16/11/2015.
DESCRIPTION OF THE VULNERABILITY
The following products can change the password associated to TSM
(changetsmpassword) :
– Tivoli Storage Manager for Databases: Data Protection for
Microsoft SQL Server (IBM Spectrum Protect for Databases)
– Tivoli Storage Manager for Mail: Data Protection for Microsoft
Exchange Server (IBM Spectrum Protect for Mail)
– Tivoli Storage FlashCopy Manager on Windows (IBM Spectrum
Protect Snapshot)
However, during this operation, the password is saved in clear
text in logs.
A local attacker can therefore read logs of IBM TSM Data
Protection, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN