SolarWinds TFTP Server Denial of Service Vulnerability
SW-07-001
October 15, 2007
CVE ID:
Not yet assigned
Affected Vendor:
SolarWinds
Affected Products:
Engineer's Toolset, Standard Toolset, free TFTP Server
Severity Assessment:
Medium
Vulnerability Details:
SolarWinds has identified a Denial of Service vulnerability in all versions of the Toolset TFTP Server prior to version 9.1.0.1 and free TFTP Server prior to version 9.1. TFTP Server is offered as a free tool downloadable from SolarWinds' website and is included as an application within Engineer's Toolset and Standard Toolset.
- TFTP Server 9.x versions can be prevented from responding
- TFTP Server 8.x or prior versions can allow code execution under certain circumstances
To check your software version:
- 1. Select Control Panel > Add or Remove Programs
- 2. Select your installed Toolset or TFTP Server
- 3. Select "Click here for more support information" link
- 4. Verify Toolset is version 9.1.0.1 or free TFTP Server is version 9.1
Update Availability:
This issue has been addressed with a hot-fix for version 9.1 of Engineer's Toolset and Standard Toolset. Toolset customers can download the hot-fix from the Customer Portal or here:
Free TFTP Server users should download the latest TFTP Server version 9.1 from the SolarWinds website.
For existing Toolset maintenance customers that are on previous versions of Toolset such as 8.0 or 9.0, we recommend upgrading to the Toolset 9.1 release and installing the hot fix. Customers can obtain the latest version of Toolset from the customer portal.
Workarounds:
Disable TFTP server when not performing a file transfer. Install TFTP Server on Management VLANs that are inaccessible from the Internet.
Credit:
This issue was reported by Nicolas Beauchesne from Juniper J-Net Security Research Team.
Support:
Technical support is available by contacting SolarWinds Technical Support at http://www.solarwinds.com/support/.
See Other Vulnerability Notifications »