Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TFTP directory traversal vulnerability in CiscoWorks LMS

We have an install of CiscoWorks LMS 3.0.1 and during a recent security audit it was flagged for making the host server susceptible to directory traversal attacks via CiscoWork's TFTP service. CiscoWorks uses TFTP to pull configs and to push IOS images, but the problem is that any host with connectivity to the CiscoWorks server can use TFTP to access the host server and navigate to any file on the server. For example, we tried "TFTP get [host IP] .../.../.../.../.../boot.ini" and were able to copy the boot.ini to our local PC. This is known as a directory traversal attack or a dot-dot-slash attack. So does anyone know a way to limit the TFTP service to one file or one directory on the CiscoWorks server, or to limit the TFTP access to specific hosts? We'd already considered ACLs, by the way, but we were hoping to find a fix within CiscoWorks itself.

10 REPLIES
Cisco Employee

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

A patch has been posted to http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-cd-one . The bug ID is CSCsx07107.

Blue

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

Is Solaris not affected? The bug description makes no mention of specific platforms, but the patch is only available for Windows.

Cisco Employee

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

Only Windows is affected.

New Member

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

Joe,

When I try to run the patch, it fails to successfuly complete the installation.

The process starts, the tftp service shuts down but I end up with the below error message,

Also the "exe" file, seems to get corrupted and goes from 33K to 0K, then I get the error message that it is not a valid win32 application.

Error message I get during launch:

D:\CSCOpx\bin>perl CSCsx07107-0.pl

The patch is getting installed.....

The CWCS tftp service service is stopping.

The CWCS tftp service service was stopped successfully.

System error 193 has occurred.

*** is not a valid Win32 application.

Unable to start TFTP services

D:\CSCOpx\bin>

Cisco Employee

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

What is the MD5 checksum of the crmtftp.exe file? It should be:

MD5 (crmtftp.exe) = c9c3ee0a7f806f4aad6dfe3486a257c7

If not, the copy got corrupted somehow. What you should do is move the Perl script along with the good crmtftp.exe from the patch .zip file to C:\WINDOWS\TEMP. Then run:

NMSROOT\bin\perl C:\WINDOWS\TEMP\CSCsx07107-0.pl

New Member

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

Joe,

That did it, thanks a ton.

New Member

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

I followed the instructions and the patch got installed .Thanks for all the help

New Member

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

Thanks, that appears to have worked for us.

I should point out, however, that the README file leaves out some important details. First off, both the pearl script and the .exe need to be in the /bin directory before you run the command.

Also, we found that these same two files were already in our /bin, but apparently they were older versions, i.e. the un-patched versions. So to make the patch work, we had to delete the existing pearl and .exe files, then replace them with the files from the patch, then run the command.

New Member

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

On the advisory cisco-sa-20090520-cw states that the LMS versions 2.5, 2.6, 3.0, and 3.1 are affected. The cwcs3.x-win-CSCsx07107-0.zip release info says 3.0.x to 3.2.

On LMS 2.6 the CS version is 3.1.

Does this patch version sure applies to LMS 2.6?

Cisco Employee

Re: TFTP directory traversal vulnerability in CiscoWorks LMS

LMS 2.6 uses CS 3.0.5 or 3.0.6. It is vulnerable, and patch applies.

564
Views
25
Helpful
10
Replies