Vulnerability CVE-2009-3855 - CERT Civis.Net

Vulnerability Name:

CVE-2009-3855 (CCN-54130)

Assigned:

2009-11-03

Published:

2009-11-03

Updated:

2009-11-18

Summary:

Multiple unspecified vulnerabilities in the (1) UNIX and (2) Linux backup-archive clients, and the (3) OS/400 API client, in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.6, 5.4 before 5.4.2, and 5.5 before 5.5.1, when the MAILPROG option is enabled, allow attackers to read, modify, or delete arbitrary files via unknown vectors.

CVSS v3 Severity:

6.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Adjacent Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

5.4 Medium (CCN CVSS v2 Vector: AV:A/AC:M/Au:N/C:P/I:P/A:P)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:A/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2009-3855

Source: CCN
Type: SA32534
IBM Tivoli Storage Manager Client Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
32534

Source: AIXAPAR
Type: UNKNOWN
IC54489

Source: CCN
Type: IBM Support & downloads
IBM Tivoli Storage Manager (TSM) Client Security Fixes - November 2009

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21405562

Source: CCN
Type: OSVDB ID: 59634
IBM Tivoli Storage Manager Client on *nix MAILPROG Option Unspecified Unauthorized Access

Source: CCN
Type: BID-36916
IBM Tivoli Storage Manager Multiple Remote Vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2009-3132

Source: XF
Type: UNKNOWN
tsm-mailprog-security-bypass(54130)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:tivoli_storage_manager:5.2.5.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.5.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.6.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.6.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.6.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.3.6.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager:5.5.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:tivoli_storage_manager_client:5.3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager_client:5.4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_storage_manager_client:5.5.0:*:*:*:*:*:*:*

Denotes that component is vulnerable