Kiwi Enterprises Security Advisory:

Tuesday 13th February 2007.

A security flaw in the Kiwi CatTools TFTP server component (KiwiTFTP.dll) was recently brought to our attention.

For more information see: http://www.securityfocus.com/archive/1/459500

The flaw allowed access via the TFTP server to any known folder above the Kiwi CatTools root TFTP folder by means of the ..//.. method. This vulnerability could be exploited by malicious individuals who may want to upload or download files from any location on the computer that Kiwi CatTools is running upon.

This flaw affects Kiwi CatTools versions 2.0.0 through to 3.2.8.

This flaw has now been fixed. To apply the fix on your system, there are two options available...

Option 1. Upgrade to version 3.2.9 or later

We recommend where possible that all Kiwi CatTools customers upgrade to version 3.2.9 or later. Click here to download the latest version of Kiwi CatTools.

Note: To upgrade to 3.2.9 or later you will need to have a current software maintenance plan.

Option 2. Download the free patch installer

If upgrading to version 3.2.9 or later is not possible we recommend that customers download and install the patch detailed below.

Click here to download the Free TFTP Server Patch

The upgrade patch will replace the KiwiTFTP.dll component with the new version (1.0.0.11). This patch will work with all editions of Kiwi CatTools versions 2.0.0 onward.

Note: This patch is free and does not require you to have a current software maintenance plan.

Additional notes:

The security flaw is present in versions 1.0.0.1, 1.0.0.2, 1.0.0.3, and 1.0.0.4 of the KiwiTFTP.dll component.

KiwiTFTP.dll version 1.0.0.8 and above no longer have the security flaw.

KiwiTFTP.dll is normally installed in the WindowsSystem32 folder.