Multiple vulnerabilities in products that use the Preboot Execution Environment (PXE) SDK


Products that use the Preboot Execution Environment (PXE) SDK sample code provided by Intel contain multiple vulnerabilities.

Products that use the PXE SDK sample code provided by Intel contain directory traversal and buffer overflow vulnerabilities.

Nobuyuki Kanaya of Fujitsu Laboratories Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 8.3 (High) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete

Affected Products

Products that use the PXE SDK sample may be vulnerable.

For more information, refer to the vendor information under "Vendor Status".
The vendors that have released affected product information are as follows.

NEC Corporation
  • WebSAM DeploymentManager
Hitachi, Ltd
  • JP1/ServerConductor/Deployment Manager Enterprise Edition
  • JP1/ServerConductor/Deployment Manager Standard Edition
  • ServerConductor/DeploymentManager
  • SystemcastWizard Lite V2.0A and earlier


Information stored by the product using the PXE SDK sample code may be viewed, or arbitrary code may be executed.

[Update the software]
Update according to the information provided by the product developer.
Vendor Information

NEC Corporation
  • NEC Security Information : NV11-007 (only in Japanese)
Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS11-026 (only in Japanese)
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
  2. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-0270

  1. JVN : JVN#05255562
  2. National Vulnerability Database (NVD) : CVE-2009-0270
Revision History

  Web page was published
  Affected Products : Products was added
  Vendor Information : Contents was added