Main Vulnerability Database SB2017040606

SB2017040606 - Input validation error in Spiceworks

Published: April 6, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017040606

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2017-7237)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks dataconfigurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a WRQ (aka Write request) operation for a configuration file or an executable file.

Remediation

Install update from vendor's website.

References

http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt
https://community.spiceworks.com/support/inventory/docs/network-config#security
https://www.exploit-db.com/exploits/41825/