Some vulnerabilities have been reported in IBM Tivoli Storage Manager (TSM), which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system.

1) A vulnerability is caused due to a boundary error in the IBM Tivoli Storage Manager Agent Client (dsmagent.exe) in a generic string handling function. This can be exploited to cause a stack-based buffer overflow via a string longer than 1025 characters contained in a specially crafted request packet.

2) A vulnerability is caused due to a boundary error in the IBM Tivoli Storage Manager Agent Client (dsmagent.exe) when copying the NodeName from a request packet. This can be exploited to cause a stack-based buffer overflow via a string longer than 65 characters.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are confirmed in Tivoli Storage Manager Express Backup Client Version 5, Release 3, Level 6.2.

3) An unspecified error exists within the client WebGUI, which can be exploited to cause a buffer overflow and may allow execution of arbitrary code.

4) An unspecified error exists in the client Java GUI, which can be exploited to gain unauthorised access and e.g. read, copy, alter, or delete files on the client machine.

5) An unspecified error exists in the AIX and Windows clients using the Secure Socket Layer (SSL), which can be exploited e.g. to read or copy files from the client machine via a Man-in-the-Middle attack.

Please see the vendor's advisory for details on affected versions.

Solution
Update to the latest versions (please see the vendor's advisory for details).
Further details available in Customer Area

Provided and/or discovered by
1, 2) Dyon Balding, Secunia Research
3 -5) Reported by the vendor.

Changelog
Further details available in Customer Area

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2008-55/

IBM (IC59513, IC59994, IC59779, IC59781):
http://www-01.ibm.com/support/docview.wss?uid=swg21384389

Deep Links
Links available in Customer Area