CVE-2021-20532
📋 TL;DR
This vulnerability in IBM Spectrum Protect Client allows a local user to escalate privileges to SYSTEM/root level due to insecure directory permissions. It affects IBM Spectrum Protect Client versions 8.1.0.0 through 8.1.11.0. The attacker must have local access to the system to exploit this.
💻 Affected Systems
- IBM Spectrum Protect Client
📦 What is this software?
Spectrum Protect Backup Archive Client by Ibm
View all CVEs affecting Spectrum Protect Backup Archive Client →
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM/root privileges, enabling complete system compromise, data theft, persistence installation, and lateral movement.
Likely Case
Local user with limited privileges escalates to administrative rights, potentially installing malware, accessing sensitive data, or modifying system configurations.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the compromised user account only.
🎯 Exploit Status
Exploitation requires local access but is straightforward once local access is obtained. The vulnerability involves directory permission manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.12.0 and later
Vendor Advisory: https://www.ibm.com/support/pages/node/6445503
Restart Required: Yes
Instructions:
1. Download IBM Spectrum Protect Client version 8.1.12.0 or later from IBM Fix Central. 2. Stop all Spectrum Protect services. 3. Install the updated version. 4. Restart the system. 5. Verify the installation completed successfully.
🔧 Temporary Workarounds
Restrict directory permissions
allManually adjust permissions on the IBM Spectrum Protect installation directory to prevent unauthorized write access.
Windows: icacls "C:\Program Files\Tivoli\TSM\" /deny Users:(OI)(CI)W
Linux: chmod 755 /opt/tivoli/tsm/
Remove unnecessary local users
allReduce attack surface by removing non-essential local user accounts.
Windows: net user username /delete
Linux: userdel username
🧯 If You Can't Patch
- Implement strict least privilege access controls for all local user accounts
- Monitor the IBM Spectrum Protect installation directory for unauthorized permission changes
🔍 How to Verify
Check if Vulnerable:
Check the installed version of IBM Spectrum Protect Client. If version is between 8.1.0.0 and 8.1.11.0 inclusive, the system is vulnerable.Check Version:
Windows: "C:\Program Files\Tivoli\TSM\dsmc.exe" -ver | Linux: dsmc -verVerify Fix Applied:
Verify the installed version is 8.1.12.0 or later and check that directory permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unexpected permission changes to IBM Spectrum Protect directories
- Unauthorized access attempts to TSM installation paths
- Privilege escalation events in system logs
Network Indicators:
- N/A - Local privilege escalation only
SIEM Query:
EventID=4672 OR EventID=4688 on Windows systems with TSM process execution from non-admin users