SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Tcpdump Vendors:  Tcpdump.org
Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet
SecurityTracker Alert ID:  1008716
SecurityTracker URL:  http://securitytracker.com/id?1008716
CVE Reference:  CAN-2003-0989 ,  CAN-2004-0057   (Links to External Site)
Updated:  Jan 16 2004
Original Entry Date:  Jan 14 2004
Impact:  Denial of service via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 3.8.1 and prior versions
Description:  Several vulnerabilities were reported in tcpdump in the processing of ISAKMP packets. A remote user can cause tcmpdump to crash or to enter an infinite loop.

It is reported that the rawprint() function in print-isakmp.c fails to validate its input arguments [CVE: CAN-2004-0057]. A remote user can send a specially crafted ISAKMP packet to cause the tcpdump process to crash. Red Hat credits Jonathan Heusser with discovering this flaw. Version 3.8.1 and prior versions are affected.

It is also reported that versions prior to 3.8.1 contain flaws that allow a remote user to force tcpdump to enter an infinite loop [CVE: CAN-2003-0989]. According to Red Hat, George Bakos discovered these flaws.
Impact:  A remote user can cause the tcpdump process to crash or to enter an endless loop.
Solution:  The vendor has issued a fix, available via CVS.
Vendor URL:  cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-isakmp.c (Links to External Site)
Cause:  Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 14 2004 (SuSE Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (krahmer@suse.de (Sebastian Krahmer))
SuSE has released a fix.
Jan 16 2004 (Red Hat Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (bugzilla@redhat.com)
The vendor has released a fix for Red Hat Linux 9.
Jan 16 2004 (Red Hat Issues Fix for RH Enterprise Linux) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Jan 16 2004 (Trustix Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (Trustix Security Advisor <tsl@trustix.org>)
Trustix has released a fix.
Jan 17 2004 (Debian Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (Matt Zimmerman <mdz@debian.org>)
Debian has released a fix.
Jan 19 2004 (EnGarde Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (engarde-announce-admins@guardiandigital.com)
Guardian Digital has released a fix for EnGarde Secure Linux.
Jan 23 2004 (Turbolinux Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (Turbolinux <security-announce@turbolinux.co.jp>)
Turbolinux has issued a fix.
Jan 27 2004 (Mandrake Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Feb 24 2004 (Apple Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (Apple Product Security <product-security@apple.com>)
Apple has released Security Update 2004-02-23.
Mar 5 2004 (SCO Issues Fix for OpenLinux) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (please_reply_to_security@sco.com)
SCO has issued a fix for OpenLinux 3.1.1.
Mar 5 2004 (Red Hat Issues Fix for Fedora) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (Harald Hoyer <harald@redhat.com>)
Red Hat has issued a fix for Fedora Linux.
Apr 7 2004 (Gentoo Issues Fix) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   ("Joshua J. Berry" <condordes@gentoo.org>)
Gentoo has released a fix for net-analyzer/tcpdump and net-libs/libpcap.
Jul 29 2004 (SCO Issues Fix for UnixWare) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet   (please_reply_to_security@sco.com)
SCO has issued a fix for UnixWare.


 Source Message Contents
Date:  Wed, 14 Jan 2004 10:27:14 -0500
Subject:  CAN-2003-0989

 

http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-isakmp.c

 > 1.36.2.6 Wed Jan 7 7:53:17 2004  by hannes
 > Branch: tcpdump_3_8

 > bugfix from Jonathan Heusser <jonny@drugphish.ch>
 >
 >   The first critical piece of code is found in print-isakmp.c:332. The
 >   function rawprint() does not check its arguments thus it's easy for
 >   an attacker to pass a big 'len' or a bogus 'loc' leading to a
 >   segmentation fault in the for loop.


Also, SuSE reports:

 >   There is a bug in the tcpdump code responsible for handling ISAKMP
 >     messages. This bug allows remote attackers to destroy a current
 >     tcpdump session by tricking the tcpdump program with evil ISAKMP
 >     messages to enter an endless loop.

CAN-2003-0989


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC