IBM has warned that a security flaw in Tivoli Storage Manager Express backup and recovery system could enable unauthorised access to data.

The company recommended that users should immediately download and install a patch to fix an uncovered heap overflow security hole in Express Server. If left unprotected, the flaw could enable an attacker to execute arbitrary code on at risk systems to compromise TSM Express, said IBM.

A security patch for the heap overflow is included in the Storage Manager Express 5.3.7.3 fix pack software update, IBM said.

According to IBM's security alert, an attacker could deliver specially built packets to a Express server by directly opening the server TCP socket, instead of the TSM client, to enact a buffer overflow. The buffer overflow could allow a remote party to inject arbitrary code direct into TSM Express server that would be executed along with SYSTEM user privileges.

The TSM Express flaw was recently discovered by a security research team at security tool maker TippingPoint, a division of 3Com.

The advisory marks the second time in four months that IBM has scrambled to plug Tivoli Storage Manager security holes. In September, the company notified customers to patch two vulnerabilities in the Tivoli Storage Manager backup client that could allow data to be exposed if left unprotected.