Check Point Advisories

IBM Tivoli Storage Manager Agent Client Generic String Handling Buffer Overflow (CVE-2008-4828)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-085
Date Published:	20 May 2009
Severity:	High
Last Updated:	Wednesday 20 May, 2009
Source:
Industry Reference:	CVE-2008-4828
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	IBM Tivoli Storage Manager (TSM) is a backup solution designed to protect data from failures and other errors by storing backups and archiving data. A buffer overflow vulnerability exists in IBM Tivoli Storage Manager (TSM). The vulnerability is due to improper string copying within the Remote Client Agent Service. When the Remote Client Agent Service dsmagent.exe processes incoming messages, it does not validate the length of a string before copying it into the stack buffer. By specifying an overly large value, this vulnerability can be triggered, resulting in a buffer overflow condition that allows an attacker to overwrite critical stack data.

Protection Overview

This protection will detect and block certain malformed TSM client messages.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the IBM Tivoli Storage Manager Agent Client Generic String Handling Buffer Overflow protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: IBM Tivoli Enforcement Violation.
Attack Information: IBM Tivoli Storage Manager agent client generic string handling buffer overflow