=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN129
_____________________________________________________________________

DATE                      : 17/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell Zenworks Configuration Manager versions 10, 11.

======================================================================
http://www.novell.com/support/viewContent.do?externalId=7007896
______________________________________________________________________

ZCM TFTPD Remote Code Execution Security Vulnerability

This document (7007896) is provided subject to the disclaimer at
the end of this document.

Environment

Novell ZENworks 10 Configuration Management
Novell ZENworks 11 Configuration Management


Situation

A vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell Zenworks Configuration Manager.


Resolution

For ZCM 11: A fix for this issue is intended to be included in a
future update to the product: however, in the interim, Novell has
made a Patch available: it can be obtained at
http://download.novell.com/Download?buildid=KN7WZylayYc~
as "ZCM 11.0 TFTP vulnerability - see TID 7007896 ".

For ZCM 10.3.2: A fix for this issue is intended to be included
in a future update to the product: however, in the interim, Novell
has made a Patch available: it can be obtained at
http://download.novell.com/Download?buildid=EXTzSp-HKZ8~ as
"ZCM 10.3.2 TFTP vulnerability - see TID 7007896"

For ZCM 10.3.1: A fix for this issue is intended to be included in
a future update to the product: however, in the interim, Novell has
made a Patch available: it can be obtained at
http://download.novell.com/Download?buildid=YO_dVg28uzY~ as
"ZCM 10.3.1 TFTP vulnerability - see TID 7007896"

For earlier versions of ZCM 10: It will be necessary to upgrade to
one of the above versions, and apply the appropriate patch

Status
Security Alert


Document
Document ID:	7007896
Creation Date:	02-15-2011
Modified Date:	02-16-2011
Novell Product:	ZENworks Configuration Management


Disclaimer

The Origin of this information may be internal or external to Novell.
Novell makes all reasonable efforts to verify this information. However,
the information provided in this document is for your information only.
Novell makes no explicit or implied claims to the validity of this
information.
Any trademarks referenced in this document are the property of their
respective owners. Consult your product manuals for complete trademark
information.
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================