|
Vulnerability tcpdump Affected Those running tcpdump Description Following is based on a FreeBSD-SA-00:61 Security Advisory. Several overflowable buffers were discovered in the version of tcpdump included in FreeBSD, during internal source code auditing. Some simply allow the remote attacker to crash the local tcpdump process, but there is a more serious vulnerability in the decoding of AFS ACL packets in the more recent version of tcpdump (tcpdump 3.5) included in FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE, which may allow a remote attacker to execute arbitrary code on the local system (usually root, since root privileges are required to run tcpdump). The former issue may be a problem for systems using tcpdump as a form of intrusion detection system, i.e. to monitor suspicious network activity: after the attacker crashes any listening tcpdump processes their subsequent activities will not be observed. All released versions of FreeBSD prior to the correction date including 3.5.1-RELEASE, 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are vulnerable to the "remote crash" problems, and FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are also vulnerable to the "remote execution" vulnerability. Both problems were corrected in 4.1.1-STABLE prior to the release of FreeBSD 4.2-RELEASE. Remote users can cause the local tcpdump process to crash, and (under FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE prior to the correction date) may be able to cause arbitrary code to be executed as the user running tcpdump, usually root. Solution For FreeBSD: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2a) FreeBSD 3.x systems prior to the correction date Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install 2b) FreeBSD 4.x systems prior to the correction date Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.v1.1.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install For SuSE Linux: ftp://ftp.suse.com/pub/suse/i386/update/7.0/d1/libpcapn-0.4a6-279.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/tcpdump-3.4a6-280.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/libpcapn-0.4a6-279.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/tcpdump-3.4a6-280.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/d1/libpcapn-0.4a6-279.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/tcpdump-3.4a6-280.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/d1/libpcapn-0.4a6-279.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/tcpdump-3.4a6-280.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/d1/libpcapn-0.4a6-279.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/tcpdump-3.4a6-280.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libpcapn-0.4a6-279.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/tcpdump-3.4a6-280.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/d1/libpcapn-0.4a6-279.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/tcpdump-3.4a6-280.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/d1/libpcapn-0.4a6-280.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/tcpdump-3.4a6-281.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/tcpdump-3.4a6-281.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/d1/libpcapn-0.4a6-279.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/tcpdump-3.4a6-280.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libpcapn-0.4a6-279.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/tcpdump-3.4a6-280.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm For Debian Linux: http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6-4.2.diff.gz http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6-4.2.dsc http://security.debian.org/dists/stable/updates/main/source/tcpdump_3.4a6.orig.tar.gz http://security.debian.org/dists/stable/updates/main/binary-alpha/tcpdump_3.4a6-4.2_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-arm/tcpdump_3.4a6-4.2_arm.deb http://security.debian.org/dists/stable/updates/main/binary-i386/tcpdump_3.4a6-4.2_i386.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/tcpdump_3.4a6-4.2_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/tcpdump_3.4a6-4.2_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/tcpdump_3.4a6-4.2_sparc.deb