Product Security Advisory HCCSEC-000016
InterNiche Security Vulnerabilities
Advisory ID: HCCSEC-000016
Publish Date: 2021-05-28
Last Updated: 2021-06-15
The TFTP packet processing function doesn't ensure that a filename is adequately null terminated, therefore a subsequent call to strlen() upon the file name might read out of bounds of the protocol packet buffer if no null bytes exist within a reasonable range. Aside from the wrong derived length, a DoS might occur in presence of a memory protection unit.
HCC is recommending customers with affected product versions to update to the latest release.
Security Notices are being issued for the following products:
|Product Name||Affected Version||Security Notice||Last Updated|
|InterNiche Stack, |
|All before v4.3 |
(Package: in_tftp - v1.1)
|Contact HCC Security Team||2021-06-04|
The risks for these vulnerabilities are rated from Low to High. Refer to the product Security Notices for additional statements regarding risk.
Mitigation / Recommended Action
HCC has fixed the issue in release v4.3 (Package: in_tftp - v1.2) of the affected software. Customers are advised to update their software to version v4.3 (Package: in_tftp - v1.2) or above. Customers are advised to review the product Security Notice. For additional information, contact the HCC Security Team.
Related CVEs / CWEs / Advisories
Page Revision History
|1.1||2021-06-15||Name and version added of fixed Package|