TWSL2011-018: Authentication Bypass Vulnerability in IBM TS3100/TS3200 Web User Interface

The Spiderlabs team at Trustwave published a new advisory for a authentication bypass finding found in the TS3100/TS3200 tape library. The TS3100/TS3200 tape library is a entry-level backup solution manufactured by IBM and this product is designed to archive data-storage needs for small-to-medium environments. The unit has remote management capabilities as well as remote administration capabilities through its web user interface.

Martin Murfitt who works as a Penetration Tester for the Trustwave SpiderLabs discovered a security flaw in the web user interface that allowed him to bypass authentication while performing a test for a Trustwave client. IBM has confirmed Martin's findings and the company has released firmware version A.60 to address this issue. The updated firmware can be downloaded by visiting IBM's Security Bulletin at http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003938.

For additional information, please view the full advisory at the following address:

https://www.trustwave.com/spiderlabs/advisories/TWSL2011-018.txt

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.