|Check Point Reference:||CPAI-2006-288|
|Date Published:||13 Oct 2010|
|Last Updated:||6 Feb 2017|
|Protection Provided by:||
|Who is Vulnerable?||Microsoft Windows 2000|
|Vulnerability Description||The Remote Installation Service, RIS, is a Microsoft-supplied server that provides tools that facilitates the remote installation of Microsoft Windows. RIS requires that remote clients have a Preboot eXecution Environment (PXE) BIOS enabled to remotely execute boot environment variables. On Microsoft Windows 2000 technology, the RIS service runs on Windows 2000 Server and allows for remote installation of Windows 2000 Professional edition.A path overwrite vulnerability exists within the Microsoft Windows Remote Installation Service. The Remote Installation Service (RIS) includes a TFTP server that is configured by default to allow anonymous users to update and overwrite files. This vulnerability allows an attacker to compromise operating installs offered by the RIS server.If the attacker is successful in overwriting existing files, the behavior of the compromised operating system installs offered by the target RIS server is dependent on the intention of the uploaded files. The target system, however, will continue to operate normally and is not directly affected.Note that the files in the target system's RIS repository directory may become locked for short periods of time due to access by the TFTP service and access of the files locally may result in errors during this period.|
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:
Attack Name: TFTP Enforcement Violation.
Attack Information: Microsoft Windows RIS TFTP Service Writable Path (MS06-077)