search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

tcpdump contains buffer overflow vulnerability in ISAKMP "Delete Payload" handling

Vulnerability Note VU#240790

Original Release Date: 2004-08-27 | Last Revised: 2004-08-27

Overview

A vulnerability in tcpdump could allow a remote attacker to cause a denial of service on an affected system.

Description

The tcpdump tool allows for the inspection of network packets and contains decoders for many standard protocols, including the Internet Security Association and Key Management Protocol (ISAKMP). The ISAKMP standard specifies:

The Delete Payload contains a protocol-specific security association identifier that the sender has removed from its security association database and is, therefore, no longer valid. [...] It is possible to send multiple Security Parameter Index(es) (SPIs) in a Delete payload [...]

To this end, the format of the "Delete Payload" contains a "# of SPIs" field, specified as two octets. A buffer overflow flaw exists in the way that tcpdump's ISAKMP decoder handles malformed ISAKMP packets specifying an overly large number of SPIs for deletion. Such malformed packets could cause tcpdump to read out of bounds and crash. This condition is only exploitable if tcpdump is invoked with the verbose display option, '-v'.

Impact

A remote attacker could cause tcpdump to crash.

Solution

Apply a patch from the vendor

Patches have been released to address this issue. Please see the Systems Affected section of this document for more details.

Vendor Information

240790
 
Expand all

Debian Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information can be found in Debian Security Advisory DSA-478. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-120
2004-05-13
---------------------------------------------------------------------

Name        : tcpdump
Version     : 3.7.2
Release     : 8.fc1.2
Summary     : A network traffic monitoring tool.
Description :
Tcpdump is a command-line tool for monitoring network traffic.
Tcpdump can capture and display the packet headers on a particular
network interface or on all interfaces.  Tcpdump can display all of
the packet headers, or just the ones that match particular criteria.

Install tcpdump if you need a program to monitor network traffic.

---------------------------------------------------------------------
Update Information:

Tcpdump is a command-line tool for monitoring network traffic.

Tcpdump v3.8.1 and earlier versions contained multiple flaws in the
packet display functions for the ISAKMP protocol. Upon receiving
specially crafted ISAKMP packets, TCPDUMP would try to read beyond
the end of the packet capture buffer and subsequently crash.

Users of tcpdump are advised to upgrade to these erratum packages, which
contain backported security patches and are not vulnerable to these issues.
---------------------------------------------------------------------
* Wed May 12 2004 Harald Hoyer <harald@redhat.com> - 14:3.7.2-8.fc1.2

- CAN-2004-0183/0184 fixed


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

c11dc7a9af4766ca018405339f6e8b0d  SRPMS/tcpdump-3.7.2-8.fc1.2.src.rpm
f7de913568498b8b38788d2fc673162e  i386/tcpdump-3.7.2-8.fc1.2.i386.rpm
13f09fefc188bfa47b0dc993eadabcd7  i386/libpcap-0.7.2-8.fc1.2.i386.rpm
5bdc0b8f388497e475b7091b5175c6c6  i386/arpwatch-2.1a11-8.fc1.2.i386.rpm
2545161afba66a197a54233349bc0285  x86_64/tcpdump-3.7.2-8.fc1.2.x86_64.rpm
343dea7f180e95f86b436fc42ce34c21  x86_64/libpcap-0.7.2-8.fc1.2.x86_64.rpm
1e50e97307551fabb2aba8f8c4cf635d  x86_64/arpwatch-2.1a11-8.fc1.2.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------


--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information can be found in Gentoo Linux Security Advisory GLSA 200404-03. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information can be found in Mandrakelinux Security Update Advisory MDKSA-2004:030. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information is available in OpenPKG Security Advisory OpenPKG-SA-2004.010. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information can be found in Red Hat Security Advisory RHSA-2004:219. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information can be found in SGI Advanced Linux Environment 2.4 security update #21and SGI Advanced Linux Environment 3 Security Update #3. Users are encouraged to review these advisories and apply the patches they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Slackware Security team has published Slackware Security Advisory SSA:2004-108 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information can be found in SuSE Security Announcement SuSE-SA:2004:011. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Updated:  August 26, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

More information can be found in Trustix Secure Linux Security Advisory TSLSA-2004-0015. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Rapid7 using their Striker test suite.

This document was written by Chad R Dougherty based on information published in Rapid7 Advisory R7-0017.

Other Information

CVE IDs: CVE-2004-0183
Severity Metric: 1.69
Date Public: 2004-03-30
Date First Published: 2004-08-27
Date Last Updated: 2004-08-27 13:27 UTC
Document Revision: 14

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis