On Monday IBM sent a Flash to many of us announcing a security vulnerability in the TSM Server. Regular non-administrator end-users on a multi-user system can restore files belonging to other users, including userid "root". For instance, this could be a Unix system that hosts shell accounts. Dissecting the CVSS scoring reveals "Access Complexity: Low" and "Authentication: None" - which basically means anyone can do it. Obviously, this is an opportunity for a breach of confidentiality.
If you back up any multi-user clients which have non-administrative accounts, this applies to you. It definitely applied to us, so I updated all our TSM server instances immediately. The Flash containing the full description and a list of fixing releases is at http://www-01.ibm.com/support/docview.wss?uid=swg21657726 Kudos to IBM for making well-tested fixes widely available before publishing the vulnerability, and also for announcing it after the Thanksgiving holiday rather than before. Roger Deschner University of Illinois at Chicago [email protected] ======I have not lost my mind -- it is backed up on tape somewhere.=====
