- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- plugin 19508 HP Ignite-UX TFTP File Access Informa...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2021 01:16 AM
03-25-2021 01:16 AM
I am looking for steps required to restrict TFTP access to trusted sources only, in relation to the vulnerability plug-in 19508, shown below.
I did find one existing article about this on this forum:
but the "solution" offered apppears out of date and the other more relvant links/info posted are all stale.
"plugin 19508 HP Ignite-UX TFTP File Access Information Disclosure The remote TFTP daemon is serving potentially sensitive content"
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2021 08:35 AM - edited 03-29-2021 01:03 AM
03-26-2021 08:35 AM - edited 03-29-2021 01:03 AM
Re: plugin 19508 HP Ignite-UX TFTP File Access Information Disclosure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2021 10:56 PM
06-12-2021 10:56 PM
SolutionGreetings,
Ignite uses TFTP for network boot. However, there are alternatives and here is an excerpt from Ignite Admin guide:
Disable TFTP on the Ignite-UX server (optional).
Unless you need to initiate installations via network boot, you may now disable TFTP on the
Ignite-UX server. You may remove or comment out the "tftp" entry from /etc/inetd.conf.
If the system to be installed is running any version of HP-UX, booting from the network can be
avoided by using the bootsys command or by booting from media and switching to the
Ignite-UX server.
In the boot-from-media case, it will be necessary to either specify the _hp_loadfile_use_nfs
keyword on the boot loader command line or create custom media with that keyword built
into it.
If you do need to preserve the ability to perform network boot, but otherwise wish to take
advantage of the NFS loadfile functionality, you may remove the /var/opt/ignite
directory from the "tftp" entry in /etc/inetd.conf, leaving only /opt/ignite.
When Ignite-UX is installed, it automatically enables the TFTP daemon. If you reinstall Ignite-UX,
you will need to reapply these changes.
For information on booting from media and then switching to an Ignite-UX server over the
network, see “Alternate Boot with Network Server Installation” (page 27). For information
about changing configuration content in the install file system, see instl_adm(1M) and
instl_adm(4).
To secure TFTP, we need to configure /var/adm/inetd.sec
Format of the file would be as follows;
<service name> allow|deny <host_specifier> <host_specifier>
<service_name> is the first field in an entry in the /etc/inetd.conf file (which is also the name of a valid service in the /etc/services file).
allow|deny determines whether the list of remote hosts in the next field is allowed or denied access to the specified service.
<host_specifier> is a host name, an IP address, an IP address range, or the wildcard character (*).
For Eg: tftp allow 10.34.*
Restart inetd after making the changes to the file inted.sec
# inetd -c
Hope this helps.
I am a HPE Employee