Using directory traversal via TFTP it is possible to access files on the host through the PXE Representative TFTP folder. This allows anonymous TFTP users to download any file from the host machine by using directory traversal through the TFTPdownload folder.
The PXE TFTP Service is vulnerable to a classical directory traversal vulnerability exploitable through the adding of one or more characters before the usual dotdot pattern.
LDMS 8.7 SP5 and prior service packs with PXE Representatives deployed.
LDMS 8.8 with PXE Representatives deployed.
New Patch Downloads
For LDMS 8.7 SP5 download OSD-848987.5.zip which is attached to this document. (NOTE: You must have 8.7 SP5 installed)
For LDMS 8.8 download OSD-848988.0.zip which is attached to this document.
NOTE: These patches include the code for the previous OSD-7374XX patches that addresses bullet point 1 in the Description section as well as code to address bullet point 2. In any case where OSD-7374XX has already been applied to the core, the above patches should be applied to include the new fix.
Where to Send Feedback
At LANDesk, we are constantly striving to improve our products and services and hope you find
these changes reflective
of our ongoing commitment to listen to you—our
partners and customers—in providing the best possible solutions to
needs now and in the future. Please continue to provide feedback by contacting our local support organization.
LANDesk Product Support
Copyright © 2008 LANDesk Software.
All rights reserved. LANDesk is either a registered trademark or
trademark of LANDesk Software, Ltd. or its affiliated entities in the United States
and/or other countries. Other names or brands may be claimed as the property of
Information in this document is providedfor information purposes only. The information presented here is subject
to change without notice. This information is not warranted to be error-free, nor subject to any other warranties or conditions, whether
expressed orally or implied in law, including any implied warranties and conditions
of merchantability or fitness for a particular purpose. LANDesk disclaims any
liability with respect to this document and LANDesk has no responsibility or
liability for any third party products of any content contained on any site
referenced herein. This document may not be reproduced or transmitted in
any form or by any means, electronic or mechanical, for any purpose, without
our prior written permission. For the most current product information, please