IBM quietly released last week a workaround for a vulnerability in its enterprise backup software it has known about since September 2016. The flaw is serious and allows a local adversary to exfiltrate data from IBM’s Spectrum Protect backup-archive and data protection service.
“This is a really bad vulnerability that’s both easy to exploit and easy to fix,” said Jakob Heidelberg, pen tester and founder of security firm Improsec. “There is no excuse why IBM would leave this type of vulnerability open for so long.”
The flaw is tied to multiple versions of what is most commonly referred to as the IBM Tivoli Storage Manager (TSM) client. TSM has since been renamed to Spectrum Protect. The flaw allows for a local user to escalate their privileges and access all documents, folders, emails and potentially usernames and passwords of service accounts associated with the locally hosted TSM service, Heidelberg said.
Heidelberg and his colleague Flemming Riis found the vulnerability in February and notified IBM of their research in March. When Heidelberg asked IBM to confirm his findings, two months later he heard back and was told a researcher had already discovered the flaw in September 2016 (CVE-2016-8939). Heidelberg said it was only after he told IBM he would be publishing his research on the vulnerability, that IBM finally issued a security bulletin and offered a workaround fix for the bug on May 31. Two days later Heidelberg published his research.
“There is a saying that works just as well within security circles. If you see something, say something,” said Chris Pyle, president of Champion Solutions Group, an IBM partner. “We have hundreds of TSM installs and this is not a trivial IBM product or an obscure vulnerability. We need to know about these things in a timely manner.”
Affected versions of IBM Spectrum Protect Windows Client or Tivoli Storage Manager are all levels of 8.1, 7.1, 6.4 and 6.3 and below. IBM declined to comment for this story when contacted by Threatpost. IBM did tell the researcher that a patch would be available in either the third, or fourth quarter.
What Heidelberg and an earlier researcher, Kestutis Gudinavicius, found was that a local user given limited permissions to access, for example, a Citrix Server that provides remote application and desktop access resources, could gain access to all files and system information stored on the IBM TSM backup.
Heidelberg describes the vulnerability this way: First, a limited privileged local user accesses the Citrix Server (or a Terminal Server). Once connected, using a tool such as the Windows Registry Editor the user can access the registry file of the remote server. Buried inside the registry is a Node ID (username) and obfuscated password data needed to access the IBM Tivoli Storage Manager client.
Now, all the adversary needs to do is install a copy of the IBM Tivoli Storage Manager client on a computer and connect to the corporate network that the enterprise version of the TSM is running on. Using the NODE ID username and obfuscated password data, the adversary is now able to login as a sysadmin and download all data from the Citrix Server stored to TSM backup service.
“This includes office documents, configuration files for services, emails and anything backed up to TSM,” Heidelberg told Threatpost. Also at risk, are and clear text usernames and passwords used by services and scheduled tasks backed-up to the TSM.
The researcher said he was concerned the workaround fix was impractical for many enterprises. “The fix, so far, isn’t a patch. It requires a sysadmin to log onto each Windows server instance and perform the workaround that restricts access to the registry data that contains the Node password. A more practical approach is a script such as a PowerShell or Regini.exe or group policy setting.”
Pyle said the configuration scenario outlined by Heidelberg that opens the TSM to data exfiltration is not uncommon. “Tivoli Storage Manager has been a premier backup product for years and Citrix is also very common,” he said.