{"vuid":"VU#350625","idnumber":"350625","name":"IBM Tivoli Storage Manager SmExecuteWdsfSession( ) function vulnerable to buffer overflow","keywords":["IBM Tivoli Storage Manager","buffer overflow","boundary error","SmExecuteWdsfSession( ) function","backup"],"overview":"A buffer overflow condition exists in certain login fields on the IBM Tivoli Storage manager server. If successfully exploited, this vulnerability would allow an attacker to\ncause a denial-of-service condition or possibly execute arbitrary code","clean_desc":"The IBM Tivoli Storage Manager (TSM) is a remote backup software package that runs on clients and servers. TSM clients must register and authenticate to servers before performing backup functions. The SmExecuteWdsfSession() function is used during the initial part of the authentication process. From a public vulnerability report, a buffer overflow vulnerability exists in this function. The overflow can be triggered during the processing of two separate fields sent in the request, both of which are copied into fixed sized buffers, without any validation of their lengths. An attacker may be able to send specially crafted malformed input to the SmExecuteWdsfSession() funtion that triggers a buffer overflow on the TSM Server. Note that IBM has released the below information on their support site, which conflicts with the original public report: This problem relates to an internal buffer overflow in TSM but IBM does not believe it is possible to exploit this buffer overflow for remote code execution, however, this exposure can be used to crash the TSM server.","impact":"A remote, unauthenticated attacker may be able to cause the TSM server to crash, thereby creating a denial-of-service condition. It may also be possible for the attacker to execute arbitrary code in the context of the TSM server.","resolution":"Update \nThe update provided by IBM may address this issue.","workarounds":"Restrict access\nRestricting access to port 1500/tcp at the network perimeter may mitigate the effects of this vulnerability. Note that an administrator can change the port that the TSM servers use with the port_address parameter.","sysaffected":"","thanks":"This report was based on information from Tipping Point Advisory \nTSRT-06-14","author":"This document was written by Ryan Giobbi.","public":["http://secunia.com/advisories/23177/","http://www-1.ibm.com/support/docview.wss?uid=swg21250261","http://www-306.ibm.com/software/tivoli/products/storage-mgr/","http://www.tippingpoint.com/security/advisories/TSRT-06-14.html","http://www.securityfocus.com/bid/21440"],"cveids":["CVE-2006-5855"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-12-05T15:32:49Z","publicdate":"2006-12-04T00:00:00Z","datefirstpublished":"2007-02-05T16:00:53Z","dateupdated":"2007-02-09T15:49:21Z","revision":29,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"5","cam_impact":"12","cam_easeofexploitation":"4","cam_attackeraccessrequired":"2","cam_scorecurrent":"0.135","cam_scorecurrentwidelyknown":"0.225","cam_scorecurrentwidelyknownexploited":"0.405","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.135,"vulnote":null}