CVE-2020-28198 – CVE-2020-28198 is a stack buffer overflow vulne... (How to Fix)

Q: What is the severity of CVE-2020-28198?

CVE-2020-28198 has a CVSS score of 7.0 (HIGH). CVE-2020-28198 is a stack buffer overflow vulnerability in IBM Tivoli Storage Manager's administrative client (dsmadmc.exe) that allows attackers to execute arbitrary code or cause denial of service. The vulnerability affects only the interactive mode of the client when processing the 'id' parameter. This impacts organizations running unsupported IBM Tivoli Storage Manager Version 5 Release 2.

📋 TL;DR

CVE-2020-28198 is a stack buffer overflow vulnerability in IBM Tivoli Storage Manager's administrative client (dsmadmc.exe) that allows attackers to execute arbitrary code or cause denial of service. The vulnerability affects only the interactive mode of the client when processing the 'id' parameter. This impacts organizations running unsupported IBM Tivoli Storage Manager Version 5 Release 2.

💻 Affected Systems

Products:

IBM Tivoli Storage Manager

Versions: Version 5 Release 2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects interactive mode usage of dsmadmc.exe; batch/command-line usage is not vulnerable due to character limitations. Product is no longer supported by IBM.

📦 What is this software?

Tivoli Storage Manager by Ibm

View all CVEs affecting Tivoli Storage Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, privilege escalation, or installation of persistent malware.

🟠

Likely Case

Local privilege escalation or denial of service affecting the administrative client functionality.

🟢

If Mitigated

Limited impact due to interactive-only requirement and unsupported software status reducing attack surface.

🌐 Internet-Facing: LOW - The vulnerability requires interactive mode and affects an administrative client, not typically internet-facing.

🏢 Internal Only: MEDIUM - Internal administrators using the vulnerable client could be targeted, but the software is unsupported and likely rare in modern environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access to execute the vulnerable client in interactive mode. Public exploit code exists for Windows x86 systems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available as product is end-of-life. Migrate to supported IBM Storage Protect or alternative solutions.

🔧 Temporary Workarounds

Disable Interactive Mode Usage

windows

Enforce policy to only use batch/command-line mode for administrative operations

Enforce administrative procedures to avoid using dsmadmc.exe interactively

Application Whitelisting

windows

Block execution of dsmadmc.exe or restrict to specific administrative accounts

Use Windows AppLocker or similar to restrict dsmadmc.exe execution

🧯 If You Can't Patch

Migrate to IBM Storage Protect (formerly Spectrum Protect) or alternative supported backup solution
Isolate Tivoli administrative workstations on separate network segments with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check if IBM Tivoli Storage Manager Version 5.2.0.1 is installed and dsmadmc.exe exists in the installation directory

Check Version:

dsmadmc.exe -version or check installed programs in Windows Control Panel

Verify Fix Applied:

Verify migration to supported software or removal of vulnerable version

📡 Detection & Monitoring

Log Indicators:

Unusual process crashes of dsmadmc.exe
Multiple failed interactive login attempts to Tivoli client

SIEM Query:

Process creation where Image contains 'dsmadmc.exe' AND CommandLine contains 'interactive' patterns

📊 Metadata

CVE ID: CVE-2020-28198

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: May 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/VoidSec/Exploit-Development/blob/master/windows/x86/local/IBM_ITSM_Administrator_Client_v.5.2.0.1/IBM_TSM_v.5.2.0.1_exploit.py Exploit,Third Party Advisory
https://voidsec.com/tivoli-madness/#IBM_Tivoli_Storage_Manager Exploit,Third Party Advisory
https://github.com/VoidSec/Exploit-Development/blob/master/windows/x86/local/IBM_ITSM_Administrator_Client_v.5.2.0.1/IBM_TSM_v.5.2.0.1_exploit.py Exploit,Third Party Advisory
https://voidsec.com/tivoli-madness/#IBM_Tivoli_Storage_Manager Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28198, you might also want to check these: