Detections
Analytics

IBM Tivoli Storage FlashCopy Manager for VMware 3.1.x < 3.1.1.3 / 3.2.x < 3.2.0.6 / 4.1.x < 4.1.4.0 Command Execution

critical Nessus Plugin ID 87822

Language:

Synopsis

A backup application installed on the remote host is affected by multiple remote command execution vulnerabilities.

Description

The version of IBM Tivoli Storage FlashCopy Manager for VMware installed on the remote host is affected by multiple vulnerabilities :

- An unspecified flaw exists in the graphical user interface that allows an unauthenticated, remote attacker to perform backup and restore operations, along with other administrative commands, resulting in a possible adverse impact on the integrity of system operation or the disclosure of confidential information. (CVE-2015-7425)

- A flaw exists in the IBM Data Protection Extension that can result in privilege escalation. An authenticated attacker can exploit this to select an existing virtual machine from the vSphere inventory and perform a Restore operation without having the required privilege for the operation. Although performing this operation does not overwrite the existing virtual machine, the attacker can create a new virtual machine holding the same data, allowing disclosure of information. (CVE-2015-7429)

Solution

Upgrade to Tivoli Storage FlashCopy Manager for VMware version 3.1.1.3 / 3.2.0.6 / 4.1.4.0 or later.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg21973086

http://www-01.ibm.com/support/docview.wss?uid=swg21973087

Plugin Details

Severity: Critical

ID: 87822

File Name: tivoli_storage_flashcopy_manager_vmware_CVE-2015-7426.nasl

Version: 1.12

Type: local

Agent: unix

Family: Misc.

Published: 1/8/2016

Updated: 10/15/2020

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-7425

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_storage_flashcopy_manager

Required KB Items: installed_sw/Tivoli Storage FlashCopy Manager

Exploit Ease: No known exploits are available

Patch Publication Date: 12/1/2015

Vulnerability Publication Date: 12/11/2015

Reference Information

CVE: CVE-2015-7425, CVE-2015-7429

BID: 79541, 79545