[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : tcpdump remote DoS

Title: tcpdump remote DoS
Released by: SuSE
Date: 17th November 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----



______________________________________________________________________________



                        SuSE Security Announcement



        Package:                tcpdump

        Announcement-ID:        SuSE-SA:2000:46

        Date:                   Friday, November 17th, 2000 16:00 MEST

        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0

        Vulnerability Type:     remote denial of service

        Severity (1-10):        6

        SuSE default package:   yes

        Other affected systems: systems using the same versions of tcpdump

                                and the necessary libraries



    Content of this advisory:

        1) security vulnerability resolved: tcpdump

           problem description, discussion, solution and upgrade information

        2) clarification, pending vulnerabilities, solutions, workarounds

        3) standard appendix (further information)



______________________________________________________________________________



1)  problem description, brief discussion, solution, upgrade information



    tcpdump is a widespread network/packet analysis tool, also known as a

    packet sniffer, used in unix/unix-like environment.

    Several overflowable buffers have been found in SuSE's version of tcpdump

    that could allow a remote attacker to crash the local tcpdump process.

    Since tcpdump may be used in combination with intrusion detection

    systems, a crashed tcpdump process may disable the network monitoring

    system as a whole.

    The FreeBSD team who found these vulnerabilities also reported that

    tcpdump's portion of code that can decode AFS ACL (AFS=Andrew File

    System, a network filesystem, ACL=Access Control List) packets is

    vulnerable to a (remotely exploitable) buffer overrun attack that

    could allow a remote attacker to execute arbitrary commands as root

    since the tcpdump program usually requires root privileges to gain

    access to the raw network socket.

    The versions of tcpdump as shipped with SuSE distributions do not

    contain the AFS packet decoding capability and are therefore not

    vulnerable to this second form of attack.



    A temporary workaround for the tcpdump problems other than not using

    tcpdump in the first place does not exist. However, we provide update

    packages for the affected SuSE distributions. We recommend an upgrade

    using the packages that can be found using the URLs below.



    Note: Please note that there is only one source rpm package but two

    binary rpm packages. tcpdump*.rpm is the rpm for the tcpdump program,

    and libpcapn*.rpm is the packet capture library that is required by

    tcpdump at compile time. In order to remove the security vulnerability

    in tcpdump, it is necessary to update the tcpdump rpm package only.

    The libpcapn package with the static library is provided for

    consistency and compatibility because it will be generated if the

    binary packages are rebuilt from the source rpm.



    To check if your system has the vulnerable package installed, use the

    command `rpm -q ´. If applicable, please choose the update

    package(s) for your distribution from the URLs listed below and download

    the necessary rpm files. Then, install the package using the command

    `rpm -Uhv file.rpm´. rpm packages have an internal md5 checksum that

    protects against file corruption. You can verify this checksum using

    the command (independently from the md5 signatures below)

        `rpm --checksig --nogpg file.rpm',

    The md5 sums under each package are to prove the package authenticity,

    independently from the md5 checksums in the rpm package format.



    i386 Intel Platform:



    SuSE-7.0

    http://ftp.suse.com/pub/suse/i386/update/7.0/d1/libpcapn-0.4a6-279.i386.rpm

      f4e4a9231b695e1cf5eef0ad09871c34

    http://ftp.suse.com/pub/suse/i386/update/7.0/n1/tcpdump-3.4a6-280.i386.rpm

      ba711cf2fab14218752603fa5a941721

    source rpm:

    http://ftp.suse.com/pub/suse/i386/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm

      d4c5902c50d6a321e2c4ed665fcd1962



    SuSE-6.4

    http://ftp.suse.com/pub/suse/i386/update/6.4/d1/libpcapn-0.4a6-279.i386.rpm

      a1030d64ca4ca86a08b6bee5dc9cff78

    http://ftp.suse.com/pub/suse/i386/update/6.4/n1/tcpdump-3.4a6-280.i386.rpm

      12335bf0055c6a9b915044a95a544aaa

    source rpm:

    http://ftp.suse.com/pub/suse/i386/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm

      dca26c3e5ef81f449cd43ab4d1f91b63



    SuSE-6.3

    http://ftp.suse.com/pub/suse/i386/update/6.3/d1/libpcapn-0.4a6-279.i386.rpm

      13c90044ed57792090163a33ffb69ecf

    http://ftp.suse.com/pub/suse/i386/update/6.3/n1/tcpdump-3.4a6-280.i386.rpm

      646de6c14a2d4988d0c684a42b4eef58

    source rpm:

    http://ftp.suse.com/pub/suse/i386/update/6.3/zq1/tcpdump-3.4a6-280.src.rpm

      46980acd95607d4a9c61ca0f75c33fc2



    SuSE-6.2

    http://ftp.suse.com/pub/suse/i386/update/6.2/d1/libpcapn-0.4a6-279.i386.rpm

      d058e563ad10daf078f5909a6b8ff288

    http://ftp.suse.com/pub/suse/i386/update/6.2/n1/tcpdump-3.4a6-280.i386.rpm

      f5209f1f1433b0a55676f29451a2ef1b

    source rpm:

    http://ftp.suse.com/pub/suse/i386/update/6.2/zq1/tcpdump-3.4a6-280.src.rpm

      cd34cd3feedbe0568d76dd9a406cec79



    SuSE-6.1

    http://ftp.suse.com/pub/suse/i386/update/6.1/d1/libpcapn-0.4a6-279.i386.rpm

      ef454e2d23e410be82aa9f0634bcc9dc

    http://ftp.suse.com/pub/suse/i386/update/6.1/n1/tcpdump-3.4a6-280.i386.rpm

      9f6ebff316039421ee00121a0e8720fa

    source rpm:

    http://ftp.suse.com/pub/suse/i386/update/6.1/zq1/tcpdump-3.4a6-280.src.rpm

      d1148813da9610f940ecdbd462ab2541



    SuSE-6.0

    Please use the package for the SuSE-6.1 distribution.





    Sparc Platform:



    SuSE-7.0

    http://ftp.suse.com/pub/suse/sparc/update/7.0/d1/libpcapn-0.4a6-279.sparc.rpm

      412a7db34985555705d8d43f2853ae4e

    http://ftp.suse.com/pub/suse/sparc/update/7.0/n1/tcpdump-3.4a6-280.sparc.rpm

      a177326150a65d78212cebba90b88201

    source rpm:

    http://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm

      49f1f0420dd84070dcd9a67452770e75





    AXP Alpha Platform:



    SuSE-6.4

    http://ftp.suse.com/pub/suse/axp/update/6.4/d1/libpcapn-0.4a6-279.alpha.rpm

      096522f46ab70d92dda17b4ca33b4181

    http://ftp.suse.com/pub/suse/axp/update/6.4/n1/tcpdump-3.4a6-280.alpha.rpm

      84ca9a93a2201f7046446ed07107cbbc

    source rpm:

    http://ftp.suse.com/pub/suse/axp/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm

      07ed654ad1693dca5fd433572b3689c9



    SuSE-6.3

    http://ftp.suse.com/pub/suse/axp/update/6.3/d1/libpcapn-0.4a6-280.alpha.rpm

      747c22bb722da5df7fe3cfc252bdc545

    http://ftp.suse.com/pub/suse/axp/update/6.3/n1/tcpdump-3.4a6-281.alpha.rpm

      dbe10ebc95a2371d01df729af265bdf6

    source rpm:

    http://ftp.suse.com/pub/suse/axp/update/6.3/zq1/tcpdump-3.4a6-281.src.rpm

      8f6e48e693fc465c1f60b6cee944c27c





    PPC Power PC Platform:



    SuSE-7.0

    http://ftp.suse.com/pub/suse/ppc/update/7.0/d1/libpcapn-0.4a6-279.ppc.rpm

      140b95ffb3be2c2915327d4798b16dd0

    http://ftp.suse.com/pub/suse/ppc/update/7.0/n1/tcpdump-3.4a6-280.ppc.rpm

      7f71b4ac17e3ad2c071e712c137a7c28

    source rpm:

    http://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/tcpdump-3.4a6-280.src.rpm

      d9db0e99e91d8981efebafd6a539566f



    SuSE-6.4

    http://ftp.suse.com/pub/suse/ppc/update/6.4/d1/libpcapn-0.4a6-279.ppc.rpm

      ed8697842867cbb5457c03015c117131

    http://ftp.suse.com/pub/suse/ppc/update/6.4/n1/tcpdump-3.4a6-280.ppc.rpm

      782dc3faba33cf1b2d9e6ef95caf4107

    source rpm:

    http://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/tcpdump-3.4a6-280.src.rpm

      318bf758753d9728f101de2101ad3227







______________________________________________________________________________



2)  Pending vulnerabilities in SuSE Distributions and Workarounds:



    Clarification:

    In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000,

    concerning the paragraph about runtime linking problems in gs

    (GhostScript) , I have stated that the problem will be fixed in future

    versions of the SuSE distribution. This does not touch the fact that we

    will of course provide fixes for the older distributions.





    - pine



      We're still working on the packages for the version 4.30 (stability

      problems).



    - ppp



      The ppp "deny_incoming" problem as announced by FreeBSD Security

      Advisory FreeBSD-SA-00:70.ppp-nat is FreeBSD specific and does not

      affect the SuSE distribution.



    - vixie cron



      Michal Zalewski  reported security problems in

      Paul Vixie's cron implementation that is commonly used in Linux

      distributions. Due to correct permissions on the directory

      /var/spool/cron, the SuSE cron package is not affected by the problem.



______________________________________________________________________________



3)  standard appendix:



    SuSE runs two security mailing lists to which any interested party may

    subscribe:



    suse-security@suse.com

        -   general/linux/SuSE security discussion.

            All SuSE security announcements are sent to this list.

            To subscribe, send an email to

                .



    suse-security-announce@suse.com

        -   SuSE's announce-only mailing list.

            Only SuSE's security annoucements are sent to this list.

            To subscribe, send an email to

                .



    For general information or the frequently asked questions (faq)

    send mail to:

         or

         respectively.



    ===============================================

    SuSE's security contact is .

    ===============================================



Regards,

Roman Drahtmüller.

- - --

 -                                                                      -

| Roman Drahtmüller       //          "Caution: Cape does |

  SuSE GmbH - Security           Phone: //       not enable user to fly."

| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |

 -                                                                      -

______________________________________________________________________________



    The information in this advisory may be distributed or reproduced,

    provided that the advisory is not modified in any way.

    SuSE GmbH makes no warranties of any kind whatsoever with respect

    to the information contained in this security advisory.



Type Bits/KeyID    Date       User ID

pub  2048/3D25D3D9 1999/03/06 SuSE Security Team 



- -----BEGIN PGP PUBLIC KEY BLOCK-----

Version: 2.6.3i



mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA

BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz

JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh

1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U

P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+

cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg

VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b

yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7

tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ

xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63

Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo

choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI

BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u

v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+

x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0

Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq

MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2

saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o

L0oixF12Cg==

=pIeS

- -----END PGP PUBLIC KEY BLOCK-----



-----BEGIN PGP SIGNATURE-----

Version: 2.6.3i

Charset: noconv



iQEVAwUBOhVREney5gA9JdPZAQHBPAf/fgUBBQa9WMGBv+IBYcbUjBAVC2Qa/kKI

ZOFVgQPUtLrAk9052YBNbmsDaaUnvgVn09YllVig4fBRfTRm/tdfdq+3rYSGUgn2

NqCc/Om79SDM3TH5wF4VnrTT8bBznCr9u7sWEGFGAa83uuw5eMALXtHcwWqoM5E3

llIKx4mikIHKHPJGZY4+va5Bmn4Zjq1eLInVlkOa9LqsI1+YcLa/9GSsyYgZP3Px

4YnG8XdUwgd6/Nlp1cg6Do/icdH/XfPx/RfVRda8S/sI232ClFt9+PtZbJEDqA2p

SGj5sm4f4h4e3Sn+tnRwKEexgV/84odnnFPeUzwFHXP8LKinZVakDA==

=IV5+

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.