|
 |
|
LANDesk Management Suite PXE TFTP Service Directory Traversal
|
|
|
|
|
Secunia Advisory:
|
SA29324
|
|
|
Release Date:
|
2008-04-01
|
|
Last Update:
|
2008-04-14
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Exposure of system information
Exposure of sensitive information
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | LANDesk Management Suite 8.x
|
| | CVE reference: | CVE-2008-1643 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Parvez Anwar has discovered a vulnerability in LANDesk Management Suite, which can be exploited by malicious people to disclose sensitive information.
The vulnerability is caused due to an input validation error within the PXE TFTP Service (PXEMTFTP.exe) and can be exploited to download arbitrary files from an affected system via directory traversal attacks.
The vulnerability is confirmed in PXEMTFTP.exe version 8.70.7.1 included in LANDesk Management Suite version 8.7 SP5, and version 8.70.7.2 and 8.80.1.1. Other versions may also be affected.
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.
Solution:
Apply patches.
8.7 SP5 (OSD-848987.5.zip):
http://community.landesk.com/support/...download/2659-3-1843/OSD-848987.5.zip
8.8 (OSD-848988.0.zip):
http://community.landesk.com/support/...download/2659-3-1842/OSD-848988.0.zip
Provided and/or discovered by:
Discovered by Parvez Anwar. Additional information about improper fix provided by Luigi Auriemma.
Changelog:
2008-04-02: Updated "Solution" and "Description" sections with information about improper fixes, reported by Luigi Auriemma.
2008-04-11: Added CVE reference.
2008-04-14: Updated "Solution" section.
Original Advisory:
LANDesk:
http://community.landesk.com/support/docs/DOC-2659
Luigi Auriemma:
http://aluigi.altervista.org/adv/landesktftp-adv.txt
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
3 Related Secunia Security Advisories
|
|
|
1. LANDesk Management Suite Alert Service Buffer Overflow
|
|
2. LANDesk Management Suite Denial of Service Vulnerability
|
|
3. LANDesk Management Suite "ircrboot.dll" Buffer Overflow Vulnerability
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
