-- Corsaire Security Advisory --

Title: HP Ignite-UX filesystem permissions issue
Date: 23.11.04
Application: HP Ignite-UX prior to version C.6.2.241
Environment: HP-UX
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c041123-002


-- Scope --

The aim of this document is to clearly define a vulnerability in the HP
Ignite-UX product, as supplied by HP Inc. [1], that would allow
unauthenticated write access to the host filesystem, both remotely and
locally.


-- History --

Discovered: 23.11.04 (Martin O'Neal)
Vendor notified: 23.11.04
Document released: 16.08.05


-- Overview --

The HP Ignite-UX "addresses the need for HP-UX system administrators to
perform system installations and deployment, often on a large scale" [2]

As part of the installation process, the product can install and enable
a TFTP server to facilitate anonymous access to configuration data. In
certain circumstances, sections of the TFTP server tree can become
world-writeable, allowing an attacker to use this as a mechanism for
moving data/tools into and out of the host, or simply launch a DoS
exhaustion attack against the host through filling the local filesystem.


-- Analysis --

The HP Ignite-UX can use a TFTP server to facilitate anonymous access to
configuration data. When the add_new_client command is used, sections of
the TFTP server tree may be made world-writeable.


-- Recommendations --

Download and apply the HP Ignite-UX version C.6.2.241 patches.

If in any doubt, disable the TFTP server.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004- 0952 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.


-- References --

[1] http://www.hp.com
[2] http://software.hp.com/products/IUX/overview.html


-- Revision --

a. Initial release.
b. Released.


-- Distribution --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2004 Corsaire Limited. All rights reserved.