// back

Hewlett Packard ProCurve Manager TFTP Directory Traversal Vulnerability

08.04.09

BACKGROUND

Hewlett Packard ProCurve Manager is a network management platform. For more information, see the vendor's site found at the following link.

http://www.procurve.com/

DESCRIPTION

Remote exploitation of design error vulnerability in Hewlett Packet's ProCurve Manager could allow attackers the ability to access arbitrary files hosted on the ProCurve server.

Hewlett Packet's ProCurve Manager includes a tftp server, which suffers from a directory traversal condition. The tftp server runs with SYSTEM level privileges and allows unauthenticated attackers to upload or download any file on the system.

The server is able to overwrite existing files as long as they are not locked in use by the operating system.

ANALYSIS

Exploitation allows attackers to read/write arbitrary files from the server computer. The tftp daemon runs with SYSTEM level privileges, so any file path accessible by system is available for exploitation.

DETECTION

iDefense confirmed the existence of this vulnerability in Hewlett Packard's ProCurve Manager version 2.2.

WORKAROUND

iDefense is currently unaware of any workaround for this issue.

VENDOR RESPONSE

Hewlett-Packard Development Co. LP (HP) has released a patch which addresses this issue. Information about vendor updates can be found by clicking on the URLs shown.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01713073

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4514 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

08/21/2007 - Initial Contact
08/21/2007 - CVE Requested from MITRE
08/21/2007 - Automated ACK from vendor
08/22/2007 - Vendor assigned tracking # SSRT071458
08/23/2007 - MITRE assigned CVE-2007-4514
08/24/2007 - Vendor notified of CVE
09/28/2007 - Requested vendor status
10/01/2007 - Vendor status update
11/02/2007 - Requested vendor status (no response)
12/07/2007 - Requested vendor status
12/10/2007 - Vendor status update
12/14/2007 - Vendor status update
03/27/2008 - Requested vendor status (no response)
02/24/2009 - Requested vendor status (no response)
04/08/2009 - Uncoordinated public disclosure

CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2010 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.