IBM TSM for Virtual Environments 6.3.x < / 6.4.x < / 7.1.x < RCE

Critical Nessus Plugin ID 87823


A backup application installed on the remote host is affected by a remote command execution vulnerability.


The version of IBM Tivoli Storage Manager (TSM) for Virtual Environments installed on the remote host is 6.3.x prior to, 6.4.x prior to, or 7.1.x prior to It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists in the user interface that allows an unauthenticated, remote attacker to perform backup and restore operations and to execute TSM administrative commands. (CVE-2015-7425)

- A privilege escalation vulnerability exists in the IBM Data Protection Extension. An authenticated, remote attacker can exploit this to select an existing virtual machine from the vSphere inventory and perform a restore operation even though the attacker does not have the privilege level required for the operation. The restore operation will not overwrite the existing virtual machine but instead will create a new virtual machine with the same data as the existing virtual machine.
After the restore creates the new virtual machine, the attacker can then access its unencrypted data, regardless of access permissions to the existing virtual machine data. Note that this issue only applies to version 7.1.x prior to 7.1.4. (CVE-2015-7429)


Upgrade to Tivoli Storage Manager for Virtual Environments version / / or later.

See Also

Plugin Details

Severity: Critical

ID: 87823

File Name: tivoli_storage_manager_virtual_environments_vmware_CVE-2015-7426.nasl

Version: $Revision: 1.10 $

Type: local

Family: Misc.

Published: 2016/01/08

Modified: 2017/02/17

Dependencies: 86326, 86327

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND


Base Score: 10

Temporal Score: 9.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:X

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments, cpe:/a:ibm:spectrum_protect_for_virtual_environments, cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments_data_protection_for_vmware

Required KB Items: installed_sw/Tivoli Storage Manager for Virtual Environments

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/12/11

Vulnerability Publication Date: 2015/12/11

Reference Information

CVE: CVE-2015-7425, CVE-2015-7429

BID: 79541, 79545

OSVDB: 131676, 134809