Vulnerabilities > CVE-2007-3268 - Divide By Zero vulnerability in IBM Tivoli Provisioning Manager OS Deployment 5.1.0.2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
ibm
CWE-369
nessus
NVD
Published: 2007-07-18
Updated: 2024-02-02

Summary

The TFTP implementation in IBM Tivoli Provisioning Manager for OS Deployment 5.1 before Fix Pack 3 allows remote attackers to cause a denial of service (rembo.exe crash and multiple service outage) via a read (RRQ) request with an invalid blksize (blocksize), which triggers a divide-by-zero error.

Vulnerable Configurations

Part Description Count
Application
Ibm
1

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows
NASL idIBM_TPMFOSD_TFTPD_BLOCKSIZE_DOS.NASL
descriptionThe remote host is running IBM Tivoli Provisioning Manager for OS Deployment, for remote deployment and management of operating systems. The TFTPD component of the version of this software installed on the remote host does not handle read requests with an invalid
last seen2020-06-01
modified2020-06-02
plugin id25738
published2007-07-19
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25738
titleIBM Tivoli Provisioning Manager for OS Deployment TFTPD Malformed PRQ Request DoS
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(25738);
  script_version("1.18");

  script_cve_id("CVE-2007-3268");
  script_bugtraq_id(24942);

  script_name(english:"IBM Tivoli Provisioning Manager for OS Deployment TFTPD Malformed PRQ Request DoS");
  script_summary(english:"Gets IBM TPM for OS Deployment Server version");

 script_set_attribute(attribute:"synopsis", value:
"A service on the remote host is prone to a denial of service attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is running IBM Tivoli Provisioning Manager for OS
Deployment, for remote deployment and management of operating systems. 

The TFTPD component of the version of this software installed on the
remote host does not handle read requests with an invalid 'blksize'
argument.  An unauthenticated attacker can leverage this issue to
trigger a divide-by-zero error and cause the 'rembo.exe' service to
exit." );
  # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=560
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0642934f" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/473925/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Tivoli Provisioning Manager for OS Deployment, Fix Pack 3
(version 5.1.0.3) or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/19");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/07/18");
 script_set_attribute(attribute:"patch_publication_date", value: "2007/07/17");
 script_cvs_date("Date: 2018/11/15 20:50:27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment");
script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl", "tftpd_detect.nasl");
  script_require_keys("Services/udp/tftp");
  script_require_ports("Services/www", 443, 8080);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


# Unless we're paranoid, make sure there's a TFTP service.
if (
  report_paranoia < 2 && 
  !get_kb_item("Services/udp/tftp")
) exit(0);


port = get_http_port(default:443);


# Grab the main page.
res = http_get_cache(item:"/builtin/index.html", port:port, exit_on_fail: 1);

# If it looks like TPMfOSd...
if (
  "Server: Rembo" >< res &&
  "IBM Tivoli Provisioning Manager for OS Deployment" >< res
)
{
  # Pull out the version number.
  ver = NULL;
  build = NULL;

  pat = ">TPMfOSd ([0-9][0-9.]+) \(build ([0-9][0-9.]+)\)<";
  matches = egrep(pattern:pat, string:res);
  if (matches)
  {
    foreach match (split(matches))
    {
      match = chomp(match);
      item = eregmatch(pattern:pat, string:match);
      if (!isnull(item))
      {
        ver = item[1];
        build = item[2];
        break;
      }
    }
  }

  if (!isnull(ver))
  {
    iver = split(ver, sep:'.', keep:FALSE);
    for (i=0; i<4; i++)
      iver[i] = int(iver[i]);

    fix = split("5.1.0.3", sep:'.', keep:FALSE);
    for (i=0; i<4; i++)
      fix[i] = int(fix[i]);

    for (i=0; i<max_index(iver); i++)
      if ((iver[i] < fix[i]))
      {
        report = string(
          "According to its banner, version ", ver, " (build ", build, ") of IBM Tivoli\n",
          "Provisioning Manager for OS Deployment is installed on the remote\n",
          "host."
        );
        security_warning(port:port, extra:report);
        break;
      }
      else if (iver[i] > fix[i])
        break;
  }
}

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 24942 CVE(CAN) ID: CVE-2007-3268 IBM Tivoli Provisioning Manager for OS Deployment是一款网络引导服务器,方便集中管理联网的工作站。 Tivoli Provisioning Manager for OS Deployment没有正确地实现TFTP协议,在处理读请求(RRQ)时无效的blksize参数可能导致将0用作除数,触发无法处理的异常,rembo.exe服务会终止。 无须认证就可以利用这个漏洞。攻击者仅需向有漏洞机器的TFTP端口(UDP 69)发送特制请求就可以导致DHCP、TFTP、PXE、HTTP、HTTPS等服务终止。 IBM Tivoli Provisioning Manager for OS Deployment 5.1.0.2 临时解决方法: * 限制对UDP 69端口的访问 厂商补丁: IBM --- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://www-1.ibm.com/support/docview.wss?uid=swg24016347" target="_blank">http://www-1.ibm.com/support/docview.wss?uid=swg24016347</a>
idSSV:2014
last seen2017-11-19
modified2007-07-18
published2007-07-18
reporterRoot
titleIBM Tivoli Provisioning Manager for OS Deployment 0除数拒绝服务漏洞

References