TFTP directory traversal vulnerability in CiscoWorks LMS

Unanswered Question
Apr 28th, 2009
User Badges:

We have an install of CiscoWorks LMS 3.0.1 and during a recent security audit it was flagged for making the host server susceptible to directory traversal attacks via CiscoWork's TFTP service. CiscoWorks uses TFTP to pull configs and to push IOS images, but the problem is that any host with connectivity to the CiscoWorks server can use TFTP to access the host server and navigate to any file on the server. For example, we tried "TFTP get [host IP] .../.../.../.../.../boot.ini" and were able to copy the boot.ini to our local PC. This is known as a directory traversal attack or a dot-dot-slash attack. So does anyone know a way to limit the TFTP service to one file or one directory on the CiscoWorks server, or to limit the TFTP access to specific hosts? We'd already considered ACLs, by the way, but we were hoping to find a fix within CiscoWorks itself.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
yjdabear Wed, 04/29/2009 - 08:06
User Badges:
  • Gold, 750 points or more

Is Solaris not affected? The bug description makes no mention of specific platforms, but the patch is only available for Windows.

Joe Clarke Wed, 04/29/2009 - 08:07
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Only Windows is affected.

wilson_1234_2 Thu, 05/21/2009 - 11:51
User Badges:


When I try to run the patch, it fails to successfuly complete the installation.

The process starts, the tftp service shuts down but I end up with the below error message,

Also the "exe" file, seems to get corrupted and goes from 33K to 0K, then I get the error message that it is not a valid win32 application.

Error message I get during launch:


The patch is getting installed.....

The CWCS tftp service service is stopping.

The CWCS tftp service service was stopped successfully.

System error 193 has occurred.

*** is not a valid Win32 application.

Unable to start TFTP services


Joe Clarke Thu, 05/21/2009 - 11:56
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What is the MD5 checksum of the crmtftp.exe file? It should be:

MD5 (crmtftp.exe) = c9c3ee0a7f806f4aad6dfe3486a257c7

If not, the copy got corrupted somehow. What you should do is move the Perl script along with the good crmtftp.exe from the patch .zip file to C:\WINDOWS\TEMP. Then run:


yusuf.ujjainwala Tue, 05/26/2009 - 02:16
User Badges:

I followed the instructions and the patch got installed .Thanks for all the help

pweinhold Wed, 04/29/2009 - 09:37
User Badges:

Thanks, that appears to have worked for us.

I should point out, however, that the README file leaves out some important details. First off, both the pearl script and the .exe need to be in the /bin directory before you run the command.

Also, we found that these same two files were already in our /bin, but apparently they were older versions, i.e. the un-patched versions. So to make the patch work, we had to delete the existing pearl and .exe files, then replace them with the files from the patch, then run the command.

rgomes Fri, 05/22/2009 - 13:43
User Badges:

On the advisory cisco-sa-20090520-cw states that the LMS versions 2.5, 2.6, 3.0, and 3.1 are affected. The release info says 3.0.x to 3.2.

On LMS 2.6 the CS version is 3.1.

Does this patch version sure applies to LMS 2.6?

Joe Clarke Fri, 05/22/2009 - 15:13
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

LMS 2.6 uses CS 3.0.5 or 3.0.6. It is vulnerable, and patch applies.


This Discussion