CVE-2016-5918 IBM CVE debrief

Who should care

IBM Tivoli Storage Manager HSM/Space Management administrators, Windows support teams, and anyone who can access or review application trace output on affected systems.

Technical summary

NVD describes the flaw as the encrypted Tivoli Storage Manager password being printed to application trace output when the password access option is set to prompt and the password is changed. NVD maps the issue to CWE-200 and CVSS 3.0 vector CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access, low privileges, no user interaction, and high confidentiality impact only. The affected IBM CPE coverage in NVD includes Tivoli Storage Manager for Space Management versions up to 6.3, 6.4.3.0, and 7.1.4.1, including base releases 6.4.0.0 and 7.1.0.0.

Defensive priority

Medium

Recommended defensive actions

• Apply the IBM fix or update referenced in the IBM PSIRT advisory.
• Review and restrict access to application trace output and related diagnostic artifacts on affected Windows systems.
• Check whether the password access setting is configured to prompt and whether password changes occurred on affected installations.
• If trace output may have exposed credentials, treat the password as compromised and rotate it through standard administrative procedures.
• Validate which IBM Tivoli Storage Manager for Space Management / HSM for Windows versions are deployed and prioritize systems matching the affected NVD CPE coverage.

Evidence notes

The NVD record states that IBM Tivoli Storage Manager HSM for Windows displays the encrypted Tivoli Storage Manager password in application trace output when the password access option is prompt and the password is changed. NVD assigns CWE-200 and CVSS 3.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N. The reference list in NVD includes the IBM PSIRT advisory and a third-party SecurityFocus entry.

Official resources