7.5 - VU#632633

Executive Summary

Summary
Title	Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32

Informations
Name	VU#632633	First vendor Publication	2009-11-19
Vendor	VU-CERT	Last vendor Modification	2009-11-19
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#632633

Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32

Overview

Wyse Simple Imager (WSI) includes older versions version of TFTPD32 that contains publicly known vulnerabilities. An attacker could exploit these vulnerabilities to potentially execute arbitrary code on the system running WSI and TFTPD32.

I. Description

Wyse Simple Imager (WSI) is a component of Wyse Device Manager (WDM, formerly known as Wyse Rapport). WSI includes TFTPD32 as the TFTP service to load firmware images on client devices. The versions of TFTPD32 contains several known vulnerabilities. The following list of TFTPD32 vulnerabilities is based on public information:

CVE-2002-2226 Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.
CVE-2002-2237 tftp32 TFTP server 2.21 and earlier allows remote attackers to cause a denial of service via a GET request with a DOS device name such as com1 or aux.
CVE-2002-2353 tftpd32 2.50 and 2.50.2 allows remote attackers to read or write arbitrary files via a full pathname in GET and PUT requests.
CVE-2006-0328 Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request.
CVE-2006-6141 Buffer overflow in Tftpd32 3.01 allows remote attackers to cause a denial of service via a long GET or PUT request, which is not properly handled when the request is displayed in the title of the gauge window.
OSVDB ID: 12898 Tftpd32 contains a flaw that may allow a remote denial of service. The issue is triggered when the server receives a TFTP request with a long filename, and will result in loss of availability for the service.

II. Impact

An attacker with network access to TFTPD32 could execute arbitrary code or cause a denial of service on a vulnerable system.

III. Solution

Use Wyse WDM and USB Imaging Tool

According to Wyse, WSI 1.3.x is a legacy product and its functionality is included in Wyse WDM 4.7.2 and Wyse USB Imaging Tool. Customers are strongly advised to migrate to WDM and USB Imaging Tool. Customers who are unable to migrate promptly, can refer to Wyse Knowledge Base article 18555 for remedial action. Wyse Knowledge Base is accessible through http://suppport.wyse.com/.

Upgrade TFTPD32

Upgrade TFTPD32 by downloading the latest version.

WSI 1.3.6 provides TFTPD32 version 2.0 in the directory ftprootRapportToolssautil and TFTPD32 version 2.80 in ftprootRapportToolssautilTFTPD280. Consider using TFTPD32 version 2.80 or downloading the most current version of TFTPD32.

This table is based on public information, a brief exchange with the author of TFTPD32, and limited testing. This information may not be completely accurate, please send corrections to cert@cert.org.

Vulnerability	Fixed Version	Wyse Resolution
CVE-2002-2226	2.50.2	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-2237	2.51	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-2353	2.51	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2006-0328	2.8.2	?
CVE-2006-6141	3.10b	?
OSVDB ID: 12898	2.80	Addressed by WSB09-01 (using TFTPD32 version 2.80).

Restrict Access to WSI

To limit the exposure of TFTPD32, run WSI systems on a physically isolated network, such as a staging network where client devices are imaged before production deployment..

Systems Affected

Vendor	Status	Date Notified	Date Updated
TFTPD32	Vulnerable		2009-11-11
Wyse	Vulnerable	2009-07-04	2009-11-19

References

http://tftpd32.jounin.net/tftpd32_news.html
http://tftpd32.jounin.net/tftpd32.html
http://osvdb.org/show/osvdb/12898
http://secway.org/advisory/ad20050108.txt
http://www.wyse.com/serviceandsupport/support/WSB09-01.zip
http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf
http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html

Credit

These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft and Art Manion.

This document was written by Art Manion.

Other Information

Date Public:	2009-07-10
Date First Published:	2009-11-19
Date Last Updated:	2009-11-19
CERT Advisory:
CVE-ID(s):	CVE-2002-2226; CVE-2002-2237; CVE-2002-2353; CVE-2006-0328; CVE-2003-6141
NVD-ID(s):	CVE-2002-2226 CVE-2002-2237 CVE-2002-2353 CVE-2006-0328 CVE-2003-6141
US-CERT Technical Alerts:
Metric:	13.51
Document Revision:	54

Original Source

Url : http://www.kb.cert.org/vuls/id/632633

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer
25 %	CWE-264	Permissions, Privileges, and Access Controls
25 %	CWE-20	Improper Input Validation

CPE : Common Platform Enumeration

Type	Description	Count
Application	Philippe Jounin tftpd32 cpe:2.3:a:philippe_jounin:tftpd32:3.01:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.81:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.74:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.73:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.72:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.71:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.70:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.62:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.60:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.54:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.53:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.52:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.51:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.5:beta:::::: cpe:2.3:a:philippe_jounin:tftpd32:2.5:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.21:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.2:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.11:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.1:::::::* cpe:2.3:a:philippe_jounin:tftpd32:2.0:::::::* cpe:2.3:a:philippe_jounin:tftpd32:1.1:::::::* cpe:2.3:a:philippe_jounin:tftpd32:1.0:::::::*	22
Application	Tftp Tftp Server cpe:2.3:a:tftp:tftp_server:2.21:::::::*	1
Application	tftpd32 cpe:2.3:a:tftpd32:tftpd32:2.50.2:::::::* cpe:2.3:a:tftpd32:tftpd32:2.50:::::::*	2

OpenVAS Exploits

Date	Description
2012-05-23	Name : TFTPD32 Request Error Message Format String Vulnerability File : nvt/secpod_tftpd32_req_format_string_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
60130	TFTP32 tftpd MS-DOS Device Name GET Request Remote DoS
57701	Tftpd32 GET / PUT Request Absolute Path Arbitrary File Manipulation
45903	TFTP32 tftpd Filename Argument Handling Remote Overflow A buffer overflow exists in TFTP32. tftpd fails to validate filename arguments resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
30502	Tftpd32 GET/PUT Command File Name Handling Overflow DoS
22661	Tftpd32 Error Message Remote Format String A remote format string vulnerability in Tftpd32 can be triggered when the server uses the filename passed in TFTP requests to construct an error message. With a specially crafted filename, an attacker can cause arbitrary code execution, resulting in a loss of integrity.
12898	Tftpd32 Long File Name Request Remote DoS Tftpd32 contains a flaw that may allow a remote denial of service. The issue is triggered when the server receives a TFTP request with a long filename, and will result in loss of availability for the service.

Nessus® Vulnerability Scanner

Date	Description
2006-11-18	Name : The remote TFTP server is affected by a buffer overflow vulnerability. File : tftpd32_filename_overflow.nasl - Type : ACT_DESTRUCTIVE_ATTACK
2006-01-20	Name : The remote tftp server is affected by a format string vulnerability. File : tftpd32_format_string.nasl - Type : ACT_DENIAL
2005-05-16	Name : The remote TFTP server can be used to read arbitrary files on the remote host. File : tftpd_dir_trav.nasl - Type : ACT_ATTACK

Global Informations

Type	Count
CWE ID(s)	4
CPE ID(s)	25
osvdb(s)	6
Openvas Exploit(s)	1
Nessus® Exploit(s)	3

	Related
7.5	CVE-2002-2226
6.4	CVE-2002-2353
5	CVE-2006-6141
5	CVE-2006-0328
5	CVE-2005-4882
5	CVE-2002-2237
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 6 more Alert(s)