LANDesk Security Bulletin – TFTP access through directory traversal on LANDesk PXE Representatives. *UPDATED 4/11/08*








    • Using directory traversal via TFTP it is possible to access files on the host through the PXE Representative TFTP folder. This allows anonymous TFTP users to download any file from the host machine by using directory traversal through the TFTPdownload folder.

    • The PXE TFTP Service is vulnerable to a classical directory traversal vulnerability exploitable through the adding of one or more characters before the usual dotdot pattern.







    Affected Platforms







    • LDMS 8.7 SP5 and prior service packs with PXE Representatives deployed.

    • LDMS 8.8 with PXE Representatives deployed.


    New Patch Downloads







    • For LDMS 8.7 SP5 download which is attached to this document.  (NOTE: You must have 8.7 SP5 installed)

    • For LDMS 8.8 download which is attached to this document.


    NOTE:  These patches include the code for the previous OSD-7374XX patches that addresses bullet point 1 in the Description section as well as code to address bullet point 2.  In any case where OSD-7374XX has already been applied to the core, the above patches should be applied to include the new fix.

    Where to Send Feedback

    At LANDesk, we are constantly striving to improve our products and services and hope you find

    these changes reflective

    of our ongoing commitment to listen to you—our

    partners and customers—in providing the best possible solutions to

    meet your

    needs now and in the future.  Please continue to provide feedback by contacting our local support organization.


    Best regards,


    LANDesk Product Support


    Copyright © 2008 LANDesk Software.

    All rights reserved. LANDesk is either a registered trademark or

    trademark of LANDesk Software, Ltd. or its affiliated entities in the United States

    and/or other countries. Other names or brands may be claimed as the property of



    Information in this document is providedfor information purposes only.  The information presented here is subject

    to change without notice.  This information is not warranted to be error-free, nor subject to any other warranties or conditions, whether

    expressed orally or implied in law, including any implied warranties and conditions

    of merchantability or fitness for a particular purpose. LANDesk disclaims any

    liability with respect to this document and LANDesk has no responsibility or

    liability for any third party products of any content contained on any site

    referenced herein.  This document may not be reproduced or transmitted in

    any form or by any means, electronic or mechanical, for any purpose, without

    our prior written permission. For the most current product information, please