SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Tcpdump Vendors:   Tcpdump.org
(SCO Issues Fix for OpenLinux) tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process
SecurityTracker Alert ID:  1009325
SecurityTracker URL:  http://securitytracker.com/id/1009325
CVE Reference:   CVE-2004-0055   (Links to External Site)
Date:  Mar 5 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.8.1
Description:   A vulnerability was reported in tcpdump in the processing of RADIUS packets. A remote user can cause the target tcpdump process to crash.

Jonathan Heusser reported that there is a flaw in 'print-radius.c' in the print_attr_string() function, where the 'length' and 'data' parameters are not properly validated. The report also indicates that there is a flaw in the radius_attr_print() function, where an upper limit for the 'rad_attr->len' is not defined.

A remote user can send a specially crafted RADIUS packet to cause the target process to crash.

Impact:   A remote user can crash the tcpdump process.
Solution:   SCO has issued the following fixes.

OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-008.0/RPMS

Packages

390598fc4ef79eacb5d882fc8905b878 tcpdump-3.8.1-1.i386.rpm

Installation

rpm -Fvh tcpdump-3.8.1-1.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-008.0/SRPMS

Source Packages

92c4f001608104cb618a8ad20e28d42c tcpdump-3.8.1-1.src.rpm


OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-008.0/RPMS

Packages

597cda73e6704003d586ab453e2a6c89 tcpdump-3.8.1-1.i386.rpm

Installation

rpm -Fvh tcpdump-3.8.1-1.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-008.0/SRPMS

Source Packages

2d6f696cc92deaace62a6ff86e99c436 tcpdump-3.8.1-1.src.rpm

Vendor URL:  www.tcpdump.org/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  OpenLinux 3.1.1

Message History:   This archive entry is a follow-up to the message listed below.
Jan 16 2004 tcpdump RADIUS print_attr_string() Parameter Overflow Lets Remote Users Crash the Process



 Source Message Contents

Subject:  [Full-Disclosure] OpenLinux: Tcpdump flaws in ISAKMP



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: Tcpdump flaws in ISAKMP
Advisory number: 	CSSA-2004-008.0
Issue date: 		2004 March 02
Cross reference: 	sr889071 fz528722 erg712537 CAN-2003-0989 CAN-2004-0057 CAN-2004-0055 
______________________________________________________________________________


1. Problem Description

	Tcpdump prints  out  the  headers of packets on a network 
	interface.

	George Bakos discovered flaws in the ISAKMP decoding
	routines of tcpdump versions prior to 3.8.1. allows remote 
	attackers to cause a denial of service.  The Common
	Vulnerabilities and Exposures project (cve.mitre.org) has 
	assigned the name CAN-2003-0989 to this issue. 

	Jonathan Heusser discovered an additional flaw in the ISAKMP 
	decoding routines for tcpdump 3.8.1 and earlier in the 	
	rawprint function in the ISAKMP decoding routines could allow  
	attackers to cause a denial of service via malformed ISAKMP 
	packets that cause invalid "len" or "loc" values to be used 
	in a loop.  The Common Vulnerabilities and Exposures project 
	(cve.mitre.org) has assigned the name CAN-2004-0057 to this 
	issue. 

	Jonathan Heusser discovered a flaw in the print_attr_string 
	function in print-radius.c for tcpdump 3.8.1 and earlier 
	allows remote attackers to cause a denial of service via a 
	RADIUS attribute with a large length value.  The Common 
	Vulnerabilities and Exposures project (cve.mitre.org) 
	has assigned the name CAN-2004-0055 to this issue. 

2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to tcpdump-3.8.1-1.i386.rpm
	OpenLinux 3.1.1 Workstation	prior to tcpdump-3.8.1-1.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-008.0/RPMS

	4.2 Packages

	390598fc4ef79eacb5d882fc8905b878	tcpdump-3.8.1-1.i386.rpm

	4.3 Installation

	rpm -Fvh tcpdump-3.8.1-1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-008.0/SRPMS

	4.5 Source Packages

	92c4f001608104cb618a8ad20e28d42c	tcpdump-3.8.1-1.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-008.0/RPMS

	5.2 Packages

	597cda73e6704003d586ab453e2a6c89	tcpdump-3.8.1-1.i386.rpm

	5.3 Installation

	rpm -Fvh tcpdump-3.8.1-1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-008.0/SRPMS

	5.5 Source Packages

	2d6f696cc92deaace62a6ff86e99c436	tcpdump-3.8.1-1.src.rpm


6. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0989
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0057
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0055

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr889071 fz528722
	erg712537.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


8. Acknowledgements

	SCO would like to thank Jonathan Heusser and George Bakos.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFARTCbbluZssSXDTERAu8aAJ9OLUXu3XwECnZ/U0Xj90HZAAzJFQCgyFqU
rJeU8Thv5BlZBaF7uBOZNJQ=
=Qu7F
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC