__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated tcpdump Packages Fix Various Vulnerabilities [Red Hat Security Advisory RHSA-2003:032-12] April 23, 2003 20:00 GMT Number N-080 ______________________________________________________________________________ PROBLEM: * The Border Gateway Protocol (BGP) decoding routines in tcpdump before 3.6.2 used incorrect bounds checking when copying data. * The RADIUS decoder in tcpdump 3.6.2 and earlier may cause a denial of service via an invalid RADIUS packet with a header length field of 0. * Versions of tcpdump prior to 3.7.2 have an inability to handle unknown RADIUS attributes properly. * The ISAKMP parser in tcpdump 3.6 through 3.7.1 can cause a denial of service via a malformed ISAKMP packet to UDP port 500. PLATFORM: * Red Hat Linux 7.1 * Red Hat Linux 7.2 * Red Hat Linux 7.3 * Red Hat Linux 8.0 DAMAGE: The above vulnerabilities will allow remote attackers to cause a denial of service, or possibly execute arbitrary code. SOLUTION: Apply patch as instructed in Red Hat's advisory. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. All vulnerabilities may cause remote denial ASSESSMENT: of service attacks. In addition, the BGP vulnerability may allow the execution of arbitrary code by a remote attacker. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-080.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2003-032.html ______________________________________________________________________________ [***** Start Red Hat Security Advisory RHSA-2003:032-12 *****] Updated tcpdump packages fix various vulnerabilities Advisory: RHSA-2003:032-12 Last updated on: 2003-04-23 Affected Products: Red Hat Linux 7.1 Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 CVEs (cve.mitre.org): CAN-2002-1350 CAN-2003-0093 CAN-2003-0108 CAN-2003-0145 Security Advisory Details: Updated tcpdump, libpcap, and arpwatch packages are available, fixing a number of vulnerabilities that could be used to cause a denial of service attack, or possibly execute arbitrary code. tcpdump is a command-line tool for monitoring network traffic. The BGP decoding routines in tcpdump before 3.6.2 used incorrect bounds checking when copying data, which allows remote attackers to cause a denial of service and possibly execute arbitrary code (as the 'pcap' user). The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0. This causes tcpdump to generate data within an infinite loop. A vulnerability in tcpdump before 3.7.2 is related to an inability to handle unknown RADIUS attributes properly, and allows remote attackers to cause a denial of service (infinite loop). The ISAKMP parser in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a malformed ISAKMP packet to UDP port 500, causing tcpdump to enter an infinite loop. Users of tcpdump are advised to upgrade to these errata packages, which contain patches to correct these issues. Updated packages: Red Hat Linux 7.1 -------------------------------------------------------------------------------- SRPMS: tcpdump-3.6.3-17.7.1.2.src.rpm [ via FTP ] [ via HTTP ] 292d708f1fb450602bee21df6156d893 i386: arpwatch-2.1a11-17.7.1.2.i386.rpm [ via FTP ] [ via HTTP ] 5bcf5cc77482fc13c344c27a19686ac1 libpcap-0.6.2-17.7.1.2.i386.rpm [ via FTP ] [ via HTTP ] b21e20256a1d1cfa53fdb462c8f90c4b tcpdump-3.6.3-17.7.1.2.i386.rpm [ via FTP ] [ via HTTP ] 98718feffb84ef3fcfea62ed23db17fc Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: tcpdump-3.6.3-17.7.2.2.src.rpm [ via FTP ] [ via HTTP ] f8672f45e55ffde6ded3c0d7d01472b1 i386: arpwatch-2.1a11-17.7.2.2.i386.rpm [ via FTP ] [ via HTTP ] 1be989e664e3041974c851a20455fd44 libpcap-0.6.2-17.7.2.2.i386.rpm [ via FTP ] [ via HTTP ] 56b816371fd291638958b95d77c323c9 tcpdump-3.6.3-17.7.2.2.i386.rpm [ via FTP ] [ via HTTP ] 652218eb2d907bfd6e26db476777d2fc ia64: arpwatch-2.1a11-17.7.2.2.ia64.rpm [ via FTP ] [ via HTTP ] a24c92995de53d152ed772e598258ef8 libpcap-0.6.2-17.7.2.2.ia64.rpm [ via FTP ] [ via HTTP ] 6ef27041aeed8dbfdf01b1370043b883 tcpdump-3.6.3-17.7.2.2.ia64.rpm [ via FTP ] [ via HTTP ] c8dcd70b27bdaed019f0e9d599cdfe67 Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: tcpdump-3.6.3-17.7.3.2.src.rpm [ via FTP ] [ via HTTP ] 684e881a536069527f0396e8e0108b6e i386: arpwatch-2.1a11-17.7.3.2.i386.rpm [ via FTP ] [ via HTTP ] c806db970d9eb13200e1883ef01bc331 libpcap-0.6.2-17.7.3.2.i386.rpm [ via FTP ] [ via HTTP ] 1e84890cbeee2a0be5a63008a46f3485 tcpdump-3.6.3-17.7.3.2.i386.rpm [ via FTP ] [ via HTTP ] 3ce86622d68cb02d8b7b7c0f6e7068bd Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: tcpdump-3.6.3-17.8.0.2.src.rpm [ via FTP ] [ via HTTP ] c8324dcde1d5c01f0089f6519a2e79b9 i386: arpwatch-2.1a11-17.8.0.2.i386.rpm [ via FTP ] [ via HTTP ] a9d325e68611a1f4d8d33684fdecd886 libpcap-0.6.2-17.8.0.2.i386.rpm [ via FTP ] [ via HTTP ] 343ddd0c76865727ffa4c9daac3015ba tcpdump-3.6.3-17.8.0.2.i386.rpm [ via FTP ] [ via HTTP ] c5bc01690d6592889741cc8a213da2f2 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1350 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0145 http://www.idefense.com/advisory/02.27.03.txt -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End Red Hat Security Advisory RHSA-2003:032-12 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-070: Sun Solaris at(1) Command Vulnerability N-071: Red Hat Eye of GNOME (EOG) Packages Fix Format String Vulnerability N-072: Sun Solaris dtsession Security Vulnerability N-073: Samba 'call_trans2open' Remote Buffer Overflow Vulnerability N-074: Microsoft Virtual Machine (VM) Vulnerability N-075: SGI xfsdump vulnerability N-076: SGI: Multiple Vulnerabilities in BSD LPR Subsystem N-077: Microsoft Buffer Overrun in Kernel Message Handling Vulnerability N-078: Snort Integer Overflow in Stream4 (TCP) Vulnerability N-079: Cisco Secure Access Control Server (ACS) for Windows Admin Buffer Overflow Vulnerability