Altiris PXE server discloses information
Symantec has released an update for its Altiris management solution to remedy a vulnerability. Security provider iDefense reports that the TFTP service of a PXE server included in the software contains a directory-traversal vulnerability that allows files to be read. Read access is provided to all files because the service runs with system rights under Windows.
While Symantec's security advisory states that authentication is required, TFTP does not support authentication. In its description of the problem, iDefense says that no authentication is required. According to its security advisory, version 6.8.8297.48 of the file pxemtftp.exe is affected. As an alternative to the update, iDefense recommends disabling the server for the Pre-Boot Execution Environment (PXE).
- Altiris Deployment Solution Directory Traversal, Symantec security advisory
- Symantec Altiris Deployment Solution TFTP/MTFTP Service Directory Traversal Vulnerability, iDefense security advisory