TFTP directory traversal vulnerability in CiscoWorks LMS

pweinhold · ‎04-28-2009

We have an install of CiscoWorks LMS 3.0.1 and during a recent security audit it was flagged for making the host server susceptible to directory traversal attacks via CiscoWork's TFTP service. CiscoWorks uses TFTP to pull configs and to push IOS images, but the problem is that any host with connectivity to the CiscoWorks server can use TFTP to access the host server and navigate to any file on the server. For example, we tried "TFTP get [host IP] .../.../.../.../.../boot.ini" and were able to copy the boot.ini to our local PC. This is known as a directory traversal attack or a dot-dot-slash attack. So does anyone know a way to limit the TFTP service to one file or one directory on the CiscoWorks server, or to limit the TFTP access to specific hosts? We'd already considered ACLs, by the way, but we were hoping to find a fix within CiscoWorks itself.

Joe Clarke · ‎04-28-2009

A patch has been posted to http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one . The bug ID is CSCsx07107.

yjdabear · ‎04-29-2009

Is Solaris not affected? The bug description makes no mention of specific platforms, but the patch is only available for Windows.

Joe Clarke · ‎04-29-2009

Only Windows is affected.

wilson_1234_2 · ‎05-21-2009

Joe,

When I try to run the patch, it fails to successfuly complete the installation.

The process starts, the tftp service shuts down but I end up with the below error message,

Also the "exe" file, seems to get corrupted and goes from 33K to 0K, then I get the error message that it is not a valid win32 application.

Error message I get during launch:

D:\CSCOpx\bin>perl CSCsx07107-0.pl

The patch is getting installed.....

The CWCS tftp service service is stopping.

The CWCS tftp service service was stopped successfully.

System error 193 has occurred.

*** is not a valid Win32 application.

Unable to start TFTP services

D:\CSCOpx\bin>

Joe Clarke · ‎05-21-2009

What is the MD5 checksum of the crmtftp.exe file? It should be:

MD5 (crmtftp.exe) = c9c3ee0a7f806f4aad6dfe3486a257c7

If not, the copy got corrupted somehow. What you should do is move the Perl script along with the good crmtftp.exe from the patch .zip file to C:\WINDOWS\TEMP. Then run:

NMSROOT\bin\perl C:\WINDOWS\TEMP\CSCsx07107-0.pl

wilson_1234_2 · ‎05-21-2009

Joe,

That did it, thanks a ton.

yusuf.ujjainwala · ‎05-26-2009

I followed the instructions and the patch got installed .Thanks for all the help

pweinhold · ‎04-29-2009

Thanks, that appears to have worked for us.

I should point out, however, that the README file leaves out some important details. First off, both the pearl script and the .exe need to be in the /bin directory before you run the command.

Also, we found that these same two files were already in our /bin, but apparently they were older versions, i.e. the un-patched versions. So to make the patch work, we had to delete the existing pearl and .exe files, then replace them with the files from the patch, then run the command.

rgomes · ‎05-22-2009

On the advisory cisco-sa-20090520-cw states that the LMS versions 2.5, 2.6, 3.0, and 3.1 are affected. The cwcs3.x-win-CSCsx07107-0.zip release info says 3.0.x to 3.2.

On LMS 2.6 the CS version is 3.1.

Does this patch version sure applies to LMS 2.6?

Joe Clarke · ‎05-22-2009

LMS 2.6 uses CS 3.0.5 or 3.0.6. It is vulnerable, and patch applies.