Vulnerability in IBM Tivoli Storage Manager Express
IBM has published a patch for its Tivoli Storage Manager Express server-based back-up-solution for Windows. The update carries version number 126.96.36.199 and rectifies a programming error due to which attackers can take complete remote control over vulnerable servers. According to IBM, the cause is a heap overflow, not specified in more detail, that allows any kind of malicious code to be executed with SYSTEM rights.
The security hole is not mentioned in the associated Readme file, however, which says only that the update adds support for the IBM Tape Autoloader 3362-2LX and also contains some minor bugfixes. An error is said to occur while back-up volumes are being checked, but only if the "DE" language option has been selected. Administrators should apply the patch as soon as possible, or confine network access to the server to trustworthy back-up clients.
- IBM Tivoli Storage Manager Express Heap Overflow, advisory by the manufacturer