LANDesk Management Suite PXE TFTP directory traversal

landesk-pxetftp-directory-traversal (41562) The risk level is classified as MediumMedium Risk

Description:

LANDesk Management Suite could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the PXE TFTP Service (PXEMTFTP.exe) using directory traversal sequences to download arbitrary files from the vulnerable system.

Platforms Affected:

  • LANDesk, LANDesk Management Suite 8.7 SP5
  • LANDesk, LANDesk Management Suite 8.8

Remedy:

For LANDesk Management Suite version 8.7 SP5:
Apply the patch for this vulnerability (OSD-737487.5.zip), available from the LANDesk Security Bulletin 2659. See References.

For LANDesk Management Suite version 8.8:
Apply the patch for this vulnerability (OSD-737488.0.zip), available from the LANDesk Security Bulletin 2659. See References.

Consequences:

Gain Access

References:

  • LANDesk Security Bulletin 2659, TFTP access through directory traversal on LANDesk PXE Representatives at http://community.landesk.com/support/docs/DOC-2659.
  • BID-28535: LANDesk Management Suite TFTP service Directory Traversal Vulnerability
  • BID-28577: LANDesk Management Suite 8.80.1.1 PXE TFTP Service Directory Traversal Vulnerability
  • CVE-2008-1643: Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.exe) in LANDesk Management Suite (LDMS) 8.7 SP5 and earlier and 8.8 allows remote attackers to read arbitrary files via unspecified vectors.
  • FrSIRT/ADV-2008-1051: LANDesk Management Suite PXE TFTP Directory Traversal Vulnerability
  • SA29324: LANDesk Management Suite PXE TFTP Service Directory Traversal
  • SECTRACK ID: 1019748: LANDesk Management Suite PXE Representative TFTP Server Lets Remote Users Traverse the Directory

Reported:

Mar 31, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page