Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.322 -- FreeBSD-SA-00:61 tcpdump contains remote vulnerabilities 31 October 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tcpdump Vendor: FreeBSD Operating System: FreeBSD BSD Impact: Execute Arbitrary Code/Commands Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:61 Security Advisory FreeBSD, Inc. Topic: tcpdump contains remote vulnerabilities Category: core Module: tcpdump Announced: 2000-10-31 Credits: Discovered during internal auditing. Affects: All releases of FreeBSD 3.x, 4.x prior to 4.2 FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date Corrected: 2000-10-04 (FreeBSD 4.1.1-STABLE) 2000-10-05 (FreeBSD 3.5.1-STABLE) Vendor status: Patch released FreeBSD only: NO I. Background tcpdump is a tool for monitoring network activity. II. Problem Description Several overflowable buffers were discovered in the version of tcpdump included in FreeBSD, during internal source code auditing. Some simply allow the remote attacker to crash the local tcpdump process, but there is a more serious vulnerability in the decoding of AFS ACL packets in the more recent version of tcpdump (tcpdump 3.5) included in FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE, which may allow a remote attacker to execute arbitrary code on the local system (usually root, since root privileges are required to run tcpdump). The former issue may be a problem for systems using tcpdump as a form of intrusion detection system, i.e. to monitor suspicious network activity: after the attacker crashes any listening tcpdump processes their subsequent activities will not be observed. All released versions of FreeBSD prior to the correction date including 3.5.1-RELEASE, 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are vulnerable to the "remote crash" problems, and FreeBSD 4.0-RELEASE, 4.1-RELEASE and 4.1.1-RELEASE are also vulnerable to the "remote execution" vulnerability. Both problems were corrected in 4.1.1-STABLE prior to the release of FreeBSD 4.2-RELEASE. III. Impact Remote users can cause the local tcpdump process to crash, and (under FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE prior to the correction date) may be able to cause arbitrary code to be executed as the user running tcpdump, usually root. IV. Workaround Do not use vulnerable versions of tcpdump in network environments which may contain packets from untrusted sources. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. 2a) FreeBSD 3.x systems prior to the correction date Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-3.x.patch.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install 2b) FreeBSD 4.x systems prior to the correction date Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:61/tcpdump-4.x.patch.asc # cd /usr/src/contrib/tcpdump # patch -p < /path/to/patch # cd /usr/src/usr.sbin/tcpdump # make depend && make all install - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOf3+JlUuHi5z0oilAQH8GAP+OwB7XLd4PKszqXvcvr/UE9pPMjXR3L3a wUGrvMbapUABULMYuHux9UtaAuZyma3Lq8tIU4V0mq6jMHAqZ/ILCtmukO/TylOV JCt8fJUMmVFmENne4oY56g09bVhV8uk6dtqz3ZJDgJVno1cxXh1Cgyyse3pamt5f xNY1oVybmHE= =4uj5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOlSNJCh9+71yA2DNAQHk1gQAjy+BpDFuLE4fPB7YYGTCUm72ocma1NEP +JPFnqP6polKHI59vLld0N4hEAmotERDHNoqjBap9gokk+sf5LWGl1JY9zYkVnOl VVPiyF/xMySjuaUZCq4x6JQubXOP+qzoD6NQJ4/xQ8QJlCQERWEhh+pglY0gXI4x F4HgvSv8gKs= =V7Yr -----END PGP SIGNATURE-----