Skip navigation
Currently Being Moderated

LANDesk Security Bulletin – TFTP access through directory traversal on LANDesk PXE Representatives. *UPDATED 4/11/08*

VERSION 3  Click to view document history
Created on: Mar 31, 2008 5:20 PM by tanner - Last Modified:  Apr 11, 2008 11:24 AM by Watticus

Description

 

 

 

 

 

 

  • Using directory traversal via TFTP it is possible to access files on the host through the PXE Representative TFTP folder. This allows anonymous TFTP users to download any file from the host machine by using directory traversal through the TFTPdownload folder.

  • The PXE TFTP Service is vulnerable to a classical directory traversal vulnerability exploitable through the adding of one or more characters before the usual dotdot pattern.

 

 

 

 

 

 

Affected Platforms

 

 

 

 

 

 

  • LDMS 8.7 SP5 and prior service packs with PXE Representatives deployed.

  • LDMS 8.8 with PXE Representatives deployed.

 

New Patch Downloads

 

 

 

 

 

 

  • For LDMS 8.7 SP5 download OSD-848987.5.zip which is attached to this document.  (NOTE: You must have 8.7 SP5 installed)

  • For LDMS 8.8 download OSD-848988.0.zip which is attached to this document.

 

NOTE:  These patches include the code for the previous OSD-7374XX patches that addresses bullet point 1 in the Description section as well as code to address bullet point 2.  In any case where OSD-7374XX has already been applied to the core, the above patches should be applied to include the new fix.

Where to Send Feedback

At LANDesk, we are constantly striving to improve our products and services and hope you find

these changes reflective

of our ongoing commitment to listen to you—our

partners and customers—in providing the best possible solutions to

meet your

needs now and in the future.  Please continue to provide feedback by contacting our local support organization.

 

Best regards,

 

LANDesk Product Support

 

Copyright © 2008 LANDesk Software.

All rights reserved. LANDesk is either a registered trademark or

trademark of LANDesk Software, Ltd. or its affiliated entities in the United States

and/or other countries. Other names or brands may be claimed as the property of

others.

 

Information in this document is providedfor information purposes only.  The information presented here is subject

to change without notice.  This information is not warranted to be error-free, nor subject to any other warranties or conditions, whether

expressed orally or implied in law, including any implied warranties and conditions

of merchantability or fitness for a particular purpose. LANDesk disclaims any

liability with respect to this document and LANDesk has no responsibility or

liability for any third party products of any content contained on any site

referenced herein.  This document may not be reproduced or transmitted in

any form or by any means, electronic or mechanical, for any purpose, without

our prior written permission. For the most current product information, please

visit http://www.landesksoftware.com.

Attachments:
Comments (0)
LANDESK Community powered by Jive SBS® 4.5.7.1  |  Legal Notices  |  Privacy Policy  |  Icon 

TweeterOn Twitter  |  Icon FacebookOn Facebook © 2007 LANDESK Software