H206045: Storage Manager Profiler is susceptible to certain vulnerabilities - IBM System Storage

Source

RETAIN tip: H206045

Symptom

IBM System Storage DS Storage Manager installation package version 10.60.xx.xx to 10.77.xx.xx includes a separately installed application called IBM Storage Manager Profiler.

This software contains features that could be subject to a Structured Query Language (SQL) injection attack and cross-site scripting where an attacker could execute script in the user's web browser.

Note: This software also is referred to as Support Monitor in some of the IBM publications.

Affected configurations

The system may be any of the following IBM servers:

• DS4200 Storage Server, type 1814, any model
• DS4300 (FAStT600) Dual Controller and Turbo Storage Server, type 1722, any model
• DS4500 (FAStT900) Storage Server, type 1742, any model
• DS4700 Storage Server, type 1814, any model
• DS4700 Storage Server, type 1814 (DC power supplies), any model
• DS4800 Storage Server, type 1815, any model
• IBM System Storage DCS3700 Storage Subsystem, type 1818, model 80C
• IBM System Storage DS3200, type 1726, any model
• IBM System Storage DS3300, type 1726, any model
• IBM System Storage DS3400, type 1726, any model
• IBM System Storage DS3512, type 1746, any model
• IBM System Storage DS3524, type 1746, any model
• IBM System Storage DS3950 Express, type 1814, any model
• IBM System Storage DS5020 Disk Controller (1814-20A), any model
• IBM System Storage DS5100 Storage Controller, type 1818, any model
• IBM System Storage DS5300 Storage Controller, type 1818, any model

This tip is not software specific.

This tip is not option specific.

The system has the symptom described above.

Solution

The IBM Storage Manager Profiler is no longer part of the IBM System Storage DS Storage Manager installation package in versions 10.83.xx.18 and newer. IBM recommends that users upgrade their DS Storage Managers to the latest version.

These updates are available by selecting the appropriate Product Group, Product name, Product machine type, and operating system on IBM Support's Fix Central web page, at the following URL:

• http://www.ibm.com/support/fixcentral/

  IBM highly recommends that users upgrade all of their DS Storage Managers to the latest version.
  
  

Workaround

Since the IBM Storage Manager Profiler is separately installed software, it can be uninstalled while leaving your version 10.60.xx.xx to 10.77.xx.xx IBM DS Storage Manager installed and working properly.

Additional information

The IBM Storage Manager Profiler which is included in the IBM System Storage DS Storage Manager installation package versions 10.60.xx.xx to 10.77.xx.xx has only one function. The Profiler's purpose is to collect storage support logs on a time interval for archiving the state of the storage subsystem.

Beginning in IBM DS Storage Manager 10.83.xx.18, this functionality has been incorporated into the Enterprise Management Window of Storage Manager so the standalone installation of Profiler is no longer needed. This removes the exposure to the two security vulnerabilities in SQL injection and cross-site scripting.

VULNERABILITY DETAILS:

CVE ID: CVE-2012-2171

DESCRIPTION:

The IBM System Storage Manager Profiler, as used in the IBM System Storage DS Series, is vulnerable to SQL injection. Among other things, a remote attacker with access to the Storage Manager Profiler could exploit this vulnerability to inject and execute SQL code.

CVSS:

CVSS Base Score: 6.5

CVSS Temporal Score:

• See http://xforce.iss.net/xforce/xfdb/75236 for the current score

  CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE ID: CVE-2012-2172

DESCRIPTION:

The IBM System Storage Manager Profiler, as used in the IBM System Storage DS Series, is susceptible to multiple cross-site scripting vulnerabilities. Among other things, a remote attacker could exploit these vulnerabilities to execute arbitrary script in a user's browser session.

CVSS:

CVSS Base Score: 4.3

CVSS Temporal Score:

See http://xforce.iss.net/xforce/xfdb/75239 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

REFERENCES:

• Complete CVSS Guide:

  http://www.first.org/cvss/cvss-guide.html

• On-line Calculator V2:

  http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

• X-Force Vulnerability Database - SQL Injection:

  http://xforce.iss.net/xforce/xfdb/75236

• X-Force Vulnerability Database - Cross-site scripting:

  http://xforce.iss.net/xforce/xfdb/75239

• CVE-2012-2171:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2171

• CVE-2012-2172:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2172

• Zero Science Labs Advisory ZSL-2012-5094:

  http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5094.php

RELATED INFORMATION:

• IBM Secure Engineering Web Portal:

  https://www-304.ibm.com/jct03001c/security/secure-engineering

• IBM Product Security Incident Response Blog:

  https://www.ibm.com/blogs/PSIRT

• ACKNOWLEDGEMENT:

This vulnerability was reported to IBM by Gjoko Krstic of Zero Science Lab.

• The CVSS Environment Score is user environment specific and ultimately will impact the Overall CVSS Score. Users can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response."