Check Point Advisories

Microsoft Windows RIS TFTP Service Writable Path (MS06-077; CVE-2006-5584)

Check Point Reference: CPAI-2006-288
Date Published: 13 Oct 2010
Severity: High
Last Updated: 6 Feb 2017
Industry Reference:CVE-2006-5584
Protection Provided by:

Security Gateway
R80, R77, R76, R75

Who is Vulnerable? Microsoft Windows 2000
Vulnerability Description The Remote Installation Service, RIS, is a Microsoft-supplied server that provides tools that facilitates the remote installation of Microsoft Windows. RIS requires that remote clients have a Preboot eXecution Environment (PXE) BIOS enabled to remotely execute boot environment variables. On Microsoft Windows 2000 technology, the RIS service runs on Windows 2000 Server and allows for remote installation of Windows 2000 Professional edition.A path overwrite vulnerability exists within the Microsoft Windows Remote Installation Service. The Remote Installation Service (RIS) includes a TFTP server that is configured by default to allow anonymous users to update and overwrite files. This vulnerability allows an attacker to compromise operating installs offered by the RIS server.If the attacker is successful in overwriting existing files, the behavior of the compromised operating system installs offered by the target RIS server is dependent on the intention of the uploaded files. The target system, however, will continue to operate normally and is not directly affected.Note that the files in the target system's RIS repository directory may become locked for short periods of time due to access by the TFTP service and access of the files locally may result in errors during this period.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R76 / R75

  1. In the IPS tab, click Protections and find the Microsoft Windows RIS TFTP Service Writable Path (MS06-077) protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:

Attack Name:  TFTP Enforcement Violation.
Attack Information:  Microsoft Windows RIS TFTP Service Writable Path (MS06-077)

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO