System Administration

plugin 19508 HP Ignite-UX TFTP File Access Information Disclosure

 
SOLVED
Go to solution
Paolo_c
Frequent Advisor

plugin 19508 HP Ignite-UX TFTP File Access Information Disclosure

I am looking for steps required to restrict TFTP access to trusted sources only, in relation to the vulnerability plug-in 19508, shown below. 

 

I did find one existing article about this on this forum: 

https://community.hpe.com/t5/System-Administration/TFTP-servers-restrict-access-to-trusted-sources-only/m-p/7127050#M491511 

but the "solution" offered apppears out of date and the other more relvant links/info posted  are all stale. 

"plugin 19508 HP Ignite-UX TFTP File Access Information Disclosure  The remote TFTP daemon is serving potentially sensitive content"

 

2 REPLIES 2
Paolo_c
Frequent Advisor

Re: plugin 19508 HP Ignite-UX TFTP File Access Information Disclosure

 
KishJ
HPE Pro
Solution

Re: plugin 19508 HP Ignite-UX TFTP File Access Information Disclosure

Greetings,

 

Ignite uses TFTP for network boot. However, there are alternatives and here is an excerpt from Ignite Admin guide:

 

Disable TFTP on the Ignite-UX server (optional).
Unless you need to initiate installations via network boot, you may now disable TFTP on the
Ignite-UX server. You may remove or comment out the "tftp" entry from /etc/inetd.conf.
If the system to be installed is running any version of HP-UX, booting from the network can be
avoided by using the bootsys command or by booting from media and switching to the
Ignite-UX server.
In the boot-from-media case, it will be necessary to either specify the _hp_loadfile_use_nfs
keyword on the boot loader command line or create custom media with that keyword built
into it.

If you do need to preserve the ability to perform network boot, but otherwise wish to take
advantage of the NFS loadfile functionality, you may remove the /var/opt/ignite
directory from the "tftp" entry in /etc/inetd.conf, leaving only /opt/ignite.
When Ignite-UX is installed, it automatically enables the TFTP daemon. If you reinstall Ignite-UX,
you will need to reapply these changes.
For information on booting from media and then switching to an Ignite-UX server over the
network, see “Alternate Boot with Network Server Installation” (page 27). For information
about changing configuration content in the install file system, see instl_adm(1M) and
instl_adm(4).

 

To secure TFTP, we need to configure /var/adm/inetd.sec

 

Format of the file would be as follows;

 

<service name> allow|deny <host_specifier> <host_specifier>

 

<service_name> is the first field in an entry in the /etc/inetd.conf file (which is also the name of a valid service in the /etc/services file).

 

allow|deny determines whether the list of remote hosts in the next field is allowed or denied access to the specified service.

 

<host_specifier> is a host name, an IP address, an IP address range, or the wildcard character (*).

 

For Eg: tftp allow 10.34.* 

 

Restart inetd after making the changes to the file inted.sec 

 

# inetd -c 

 

Hope this helps.


I am a HPE Employee

Accept or Kudo