Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32

Overview

Wyse Simple Imager (WSI) includes older versions version of TFTPD32 that contains publicly known vulnerabilities. An attacker could exploit these vulnerabilities to potentially execute arbitrary code on the system running WSI and TFTPD32.

Description

Wyse Simple Imager (WSI) is a component of Wyse Device Manager (WDM, formerly known as Wyse Rapport). WSI includes TFTPD32 as the TFTP service to load firmware images on client devices. The versions of TFTPD32 contains several known vulnerabilities. The following list of TFTPD32 vulnerabilities is based on public information:

1. CVE-2002-2226 Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.
2. CVE-2002-2237 tftp32 TFTP server 2.21 and earlier allows remote attackers to cause a denial of service via a GET request with a DOS device name such as com1 or aux.
3. CVE-2002-2353 tftpd32 2.50 and 2.50.2 allows remote attackers to read or write arbitrary files via a full pathname in GET and PUT requests.
4. CVE-2006-0328 Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request.
5. CVE-2006-6141 Buffer overflow in Tftpd32 3.01 allows remote attackers to cause a denial of service via a long GET or PUT request, which is not properly handled when the request is displayed in the title of the gauge window.
6. OSVDB ID: 12898 Tftpd32 contains a flaw that may allow a remote denial of service. The issue is triggered when the server receives a TFTP request with a long filename, and will result in loss of availability for the service.

---

Impact

An attacker with network access to TFTPD32 could execute arbitrary code or cause a denial of service on a vulnerable system.

---

Solution

Use Wyse WDM and USB Imaging Tool
According to Wyse, WSI 1.3.x is a legacy product and its functionality is included in Wyse WDM 4.7.2 and Wyse USB Imaging Tool. Customers are strongly advised to migrate to WDM and USB Imaging Tool. Customers who are unable to migrate promptly, can refer to Wyse Knowledge Base article 18555 for remedial action. Wyse Knowledge Base is accessible through <http://suppport.wyse.com/&gt;.

Upgrade TFTPD32

Upgrade TFTPD32 by downloading the latest version.

WSI 1.3.6 provides TFTPD32 version 2.0 in the directory ftproot\Rapport\Tools\sa\til\ and TFTPD32 version 2.80 in ftproot\Rapport\Tools\sa\til\TFTPD280\. Consider using TFTPD32 version 2.80 or downloading the most current version of TFTPD32.

This table is based on public information, a brief exchange with the author of TFTPD32, and limited testing. This information may not be completely accurate, please send corrections to [email protected].

Vulnerability	Fixed Version	Wyse Resolution
CVE-2002-2226	2.50.2	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-2237	2.51	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-2353	2.51	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2006-0328	2.8.2	?
CVE-2006-6141	3.10b	?
OSVDB ID: 12898	2.80	Addressed by WSB09-01 (using TFTPD32 version 2.80).

Restrict Access to WSI

To limit the exposure of TFTPD32, run WSI systems on a physically isolated network, such as a staging network where client devices are imaged before production deployment…

---

Vendor Information

632633

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

TFTPD32 __ Affected

Updated: November 11, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The latest version of TFTPD32 is available here.

Wyse __ Affected

Notified: July 04, 2009 Updated: November 19, 2009

Statement Date: November 13, 2009

Status

Affected

Vendor Statement

WSI 1.3.x is a legacy product and its functionality is included in Wyse WDM 4.7.2 and Wyse USB Imaging Tool. Customers are strongly advised to migrate to WDM and USB Imaging Tool.

Customers who are unable to migrate promptly, can refer to Wyse Knowledge Base article 18555 for remedial action. Wyse Knowledge Base is accessible through <http://suppport.wyse.com/&gt;.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://suppport.wyse.com/&gt;

Addendum

WSI 1.3.6 includes TFTPD32 versions 2.00 and 2.80.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23632633 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://tftpd32.jounin.net/tftpd32_news.html&gt;
• <http://tftpd32.jounin.net/tftpd32.html&gt;
• <http://osvdb.org/show/osvdb/12898&gt;
• <http://secway.org/advisory/ad20050108.txt&gt;
• <http://www.wyse.com/serviceandsupport/support/WSB09-01.zip&gt;
• <http://www.wyse.com/serviceandsupport/Wyse Security Bulletin WSB09-01.pdf&gt;
• <http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/&gt;
• <http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html&gt;

Acknowledgements

These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft and Art Manion.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2002-2226, CVE-2002-2237, CVE-2002-2353, CVE-2006-0328, CVE-2003-6141
Severity Metric:	13.51 Date Public: