Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against IBM Tivoli Storage Manager Agent Client Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2009-085
Date Published:
Preemptive Since:
Severity:
Last Updated:
Source: Secunia Advisory: SA32604
Industry Reference(s):

CVE-2008-4828
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
  • NGX R62
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
IBM Tivoli Storage Manager Client 5.1.0.0 to 5.1.8.2
IBM Tivoli Storage Manager Client 5.2.0.0 to 5.2.5.3
IBM Tivoli Storage Manager Client 5.3.0.0 to 5.3.6.4
IBM Tivoli Storage Manager Client 5.4.0.0 to 5.4.1.96
IBM Tivoli Storage Manager Express Client 5.3.3.0 to 5.3.6.4
Vulnerability Description
A buffer overflow vulnerability exists in IBM Tivoli Storage Manager (TSM), a backup solution designed to protect data from failures and other errors by storing backups and archiving data. The vulnerability is due to a boundary error when parsing strings from request packets within the Remote Client Agent Service. A remote unauthenticated attacker may exploit the vulnerability by sending a crafted request to the target service, potentially allowing for execution of arbitrary code or a denial of service.
Update/Patch Available
The vendor has released an advisory:
IBM
Vulnerability Details
The vulnerability is due to improper string copying within the Remote Client Agent Service. When the Remote Client Agent Service dsmagent.exe processes incoming messages, it does not validate the length of a string before copying it into the stack buffer. By specifying an overly large value, this vulnerability can be triggered, resulting in a buffer overflow condition that allows an attacker to overwrite critical stack data.

Protection Overview
This protection will detect and block certain malformed TSM client messages.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > IBM Tivoli.
2. In the right pane, double-click the IBM Tivoli Storage Manager Agent Client Generic String Handling Buffer Overflow protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IBM Tivoli Enforcement Violation
Attack Information: IBM Tivoli Storage Manager agent client generic string handling buffer overflow

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > IBM Tivoli.
2. Select the following:

IBM Tivoli Storage Manager Agent Client Generic String Handling Buffer Overflow

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IBM Tivoli Enforcement Violation
Attack Information: IBM Tivoli Storage Manager agent client generic string handling buffer overflow

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > IBM Tivoli.
2. Select the following:

IBM Tivoli Storage Manager Agent Client Generic String Handling Buffer Overflow

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IBM Tivoli Enforcement Violation
Attack Information: IBM Tivoli Storage Manager agent client generic string handling buffer overflow

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Enterprise Software, and select the IBM Tivoli Storage Manager protection group.
3. Click CVE-2008-4828 IBM Tivoli Storage Manager Client dsmagent.exe NodeName Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: IBM Tivoli Storage Manager
Description: CVE-2008-4828 IBM Tivoli Storage Manager Client dsmagent.exe NodeName Buffer Overflow