Update fixes bug in IBM's Tivoli Provisioning Manager
IBM has released a Fix Pack to fix security vulnerabilities in its Tivoli Provisioning Manager for OS deployment, using which an attacker could crash a server or possibly inject arbitrary code. The software is used to equip networked computers with an operating system over the network via Pre-boot Execution Environment. The security vulnerabilities affect the web interface for administering the server.
The vulnerabilities were reported by security services provider iDefense. Memory violations can occur when processing prepared form data in multi-part HTTP-POST queries, causing the server to crash or changing memory on the heap. An attacker does not need to be logged onto the system, but merely needs to be able to send packets to the server, which by default listens on ports 8080 and 443.
By default the server runs with system privileges, so that malicious code could obtain full access to the system. iDefense notes that the server can also be started with limited privileges, and they suggest that administrators should set it up to do so. The risk can also be reduced by restricting access to the server using a firewall.
IBM has provided updates for the affected versions (18.104.22.168 and earlier) on its website. Fix Pack 2 also fixes other more cosmetic bugs, and adds support for other operating systems.
- IBM Tivoli Provisioning Manager for OS Deployment Multiple Vulnerabilities, security advisory from iDefense
- Tivoli Provisioning Manager for OS Deployment Fix Pack 5.1.0-TIV-TPMOSD-FP0002, download and description of the changes in Fix Pack 2 from IBM