(SCO Issues Fix for UnixWare) Tcpdump Can Be Crashed By a Remote User Sending a Malicious ISAKMP Packet
SecurityTracker Alert ID: 1010805|
SecurityTracker URL: http://securitytracker.com/id/1010805
(Links to External Site)
Date: Jul 29 2004
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 3.8.1 and prior versions|
Several vulnerabilities were reported in tcpdump in the processing of ISAKMP packets. A remote user can cause tcmpdump to crash or to enter an infinite loop.|
It is reported that the rawprint() function in print-isakmp.c fails to validate its input arguments [CVE: CVE-2004-0057]. A remote user can send a specially crafted ISAKMP packet to cause the tcpdump process to crash. Red Hat credits Jonathan Heusser with discovering this flaw. Version 3.8.1 and prior versions are affected.
It is also reported that versions prior to 3.8.1 contain flaws that allow a remote user to force tcpdump to enter an infinite loop [CVE: CVE-2003-0989]. According to Red Hat, George Bakos discovered these flaws.
A remote user can cause the tcpdump process to crash or to enter an endless loop.|
SCO has issued a fix for UnixWare 7.1.3, available at:|
md5 is available for download from
Vendor URL: cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-isakmp.c (Links to External Site)
Boundary error, Input validation error, State error|
|Underlying OS: UNIX (Open UNIX-SCO)|
|Underlying OS Comments: UnixWare 7.1.3up|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: UnixWare 7.1.3up : tcpdump several vulnerabilities in tcpdump.|
-----BEGIN PGP SIGNED MESSAGE-----
SCO Security Advisory
Subject: UnixWare 7.1.3up : tcpdump several vulnerabilities in tcpdump.
Advisory number: SCOSA-2004.9
Issue date: 2004 July 28
Cross reference: sr889195 fz528784 erg712544
CAN-2004-0055 CAN-2004-0057 CAN-2003-0989
CERT Vulnerability Note VU#955526
CERT Vulnerability Note VU#174086
CERT Vulnerability Note VU#738518
1. Problem Description
tcpdump is a widely-used network sniffer.
The issues with tcpdump are present only on UnixWare 7.1.3up and
not on previous versions of UnixWare 7.1.3 or earlier including
Open Unix 8.0.0, because the version of tcpdump UnixWare 7.1.3
and before is 3.4a5 and it doesn't contain these issues.
Remote attackers could potentially exploit these
vulnerabilities by sending carefully-crafted network packets
to a victim. If the victim is running tcpdump, these packets
could result in a denial of service, or possibly execute
Jonathan Heusser discovered a flaw in the print_attr_string
function in the RADIUS decoding routines for tcpdump 3.8.1
and earlier. The CERT Coordination Center has assigned the
following Vulnerability Note VU#955526. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the following name CAN-2004-0055 to this issue.
Jonathan Heusser discovered an additional flaw in the ISAKMP
decoding routines for tcpdump 3.8.1 and earlier. The CERT
Coordination Center has assigned the following Vulnerability
Note VU#174086. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the following name
CAN-2004-0057 to this issue.
George Bakos discovered flaws in the ISAKMP decoding routines
of tcpdump versions prior to 3.8.1. The CERT Coordination
Center has assigned the following Vulnerability Note
VU#738518. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the following name CAN-2003-0989
to this issue.
2. Vulnerable Supported Versions
UnixWare 7.1.3up /usr/sbin/tcpdump
The proper solution is to install the latest packages.
4. UnixWare 7.1.3up
4.1 Location of Fixed Binaries
md5 is available for download from
4.3 Installing Fixed Binaries
Please refer to the release notes for installation instructions
that are located in the same directory as the fixed binaries.
Specific references for this advisory:
SCO security resources:
SCO security advisories via email
This security fix closes SCO incidents sr889195 fz528784
SCO is not responsible for the misuse of any of the information
we provide on this web site and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
-----END PGP SIGNATURE-----