-- Corsaire Security Advisory -- Title: HP Ignite-UX filesystem permissions issue Date: 23.11.04 Application: HP Ignite-UX prior to version C.6.2.241 Environment: HP-UX Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c041123-002 -- Scope -- The aim of this document is to clearly define a vulnerability in the HP Ignite-UX product, as supplied by HP Inc. [1], that would allow unauthenticated write access to the host filesystem, both remotely and locally. -- History -- Discovered: 23.11.04 (Martin O'Neal) Vendor notified: 23.11.04 Document released: 16.08.05 -- Overview -- The HP Ignite-UX "addresses the need for HP-UX system administrators to perform system installations and deployment, often on a large scale" [2] As part of the installation process, the product can install and enable a TFTP server to facilitate anonymous access to configuration data. In certain circumstances, sections of the TFTP server tree can become world-writeable, allowing an attacker to use this as a mechanism for moving data/tools into and out of the host, or simply launch a DoS exhaustion attack against the host through filling the local filesystem. -- Analysis -- The HP Ignite-UX can use a TFTP server to facilitate anonymous access to configuration data. When the add_new_client command is used, sections of the TFTP server tree may be made world-writeable. -- Recommendations -- Download and apply the HP Ignite-UX version C.6.2.241 patches. If in any doubt, disable the TFTP server. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004- 0952 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.hp.com [2] http://software.hp.com/products/IUX/overview.html -- Revision -- a. Initial release. b. Released. -- Distribution -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2004 Corsaire Limited. All rights reserved.