Vulnerability Discussion

Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.

Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.

Check

Verify if TFTP is installed, it is configured to operate in secure mode.

Note: If TFTP is not required, it must not be installed. If TFTP is not installed, this rule is not applicable.

Check to see if TFTP server is installed with the following command:

$ sudo dnf list --installed tftp-server

Updating Subscription Management repositories.
Installed Packages
tftp-server.x86_64 5.2-38.el9 @rhel-9-for-x86_64-appstream-rpms

Verify the TFTP daemon, if tftp.server is installed, is configured to operate in secure mode with the following command:

$ grep -i execstart /usr/lib/systemd/system/tftp.service
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

Note: The "-s" option ensures the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system.

Fix

Configure RHEL 9 so that TFTP operates in secure mode if installed.

If TFTP server is not required, remove it with the following command:
$ sudo dnf -y remove tftp-server

Configure the TFTP daemon to operate in secure mode with the following command:
$ sudo systemctl edit tftp.service

In the editor, enter:
[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

After making changes, reload the systemd daemon and restart the TFTP service as follows:

$ sudo systemctl daemon-reload
$ sudo systemctl restart tftp.service

If the "-s" option is not present in the "ExecStart" line or if the line is missing, this is a finding.