SuSE Security Announcement: tcpdumpNov 17, 2000, 20:38 (0 Talkback[s])
(Other stories by Roman Drahtmueller)
Date: Fri, 17 Nov 2000 16:39:16 +0100 (MET)
SuSE Security Announcement Package: tcpdump Announcement-ID: SuSE-SA:2000:46 Date: Friday, November 17th, 2000 16:00 MEST Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: remote denial of service Severity (1-10): 6 SuSE default package: yes Other affected systems: systems using the same versions of tcpdump and the necessary libraries Content of this advisory: 1) security vulnerability resolved: tcpdump problem description, discussion, solution and upgrade information 2) clarification, pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
tcpdump is a widespread network/packet analysis tool, also known as a packet sniffer, used in unix/unix-like environment. Several overflowable buffers have been found in SuSE's version of tcpdump that could allow a remote attacker to crash the local tcpdump process. Since tcpdump may be used in combination with intrusion detection systems, a crashed tcpdump process may disable the network monitoring system as a whole. The FreeBSD team who found these vulnerabilities also reported that tcpdump's portion of code that can decode AFS ACL (AFS=Andrew File System, a network filesystem, ACL=Access Control List) packets is vulnerable to a (remotely exploitable) buffer overrun attack that could allow a remote attacker to execute arbitrary commands as root since the tcpdump program usually requires root privileges to gain access to the raw network socket. The versions of tcpdump as shipped with SuSE distributions do not contain the AFS packet decoding capability and are therefore not vulnerable to this second form of attack.
A temporary workaround for the tcpdump problems other than not using tcpdump in the first place does not exist. However, we provide update packages for the affected SuSE distributions. We recommend an upgrade using the packages that can be found using the URLs below.
Note: Please note that there is only one source rpm package but two binary rpm packages. tcpdump*.rpm is the rpm for the tcpdump program, and libpcapn*.rpm is the packet capture library that is required by tcpdump at compile time. In order to remove the security vulnerability in tcpdump, it is necessary to update the tcpdump rpm package only. The libpcapn package with the static library is provided for consistency and compatibility because it will be generated if the binary packages are rebuilt from the source rpm.
To check if your system has the vulnerable package installed,
use the command `rpm -q ´. If applicable, please choose the
update package(s) for your distribution from the URLs listed below
and download the necessary rpm files. Then, install the package
using the command `rpm -Uhv file.rpm´. rpm packages have an
internal md5 checksum that protects against file corruption. You
can verify this checksum using the command (independently from the
md5 signatures below)
i386 Intel Platform:
AXP Alpha Platform:
PPC Power PC Platform:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
Clarification: In my message (Subject: "SuSE: miscellaneous"), dated Wed, 15 Nov 2000, concerning the paragraph about runtime linking problems in gs (GhostScript) , I have stated that the problem will be fixed in future versions of the SuSE distribution. This does not touch the fact that we will of course provide fixes for the older distributions.
We're still working on the packages for the version 4.30 (stability problems).
The ppp "deny_incoming" problem as announced by FreeBSD Security Advisory FreeBSD-SA-00:70.ppp-nat is FreeBSD specific and does not affect the SuSE distribution.
- vixie cron
Michal Zalewski reported security problems in Paul Vixie's cron implementation that is commonly used in Linux distributions. Due to correct permissions on the directory /var/spool/cron, the SuSE cron package is not affected by the problem.
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may subscribe:
SuSE's security contact is firstname.lastname@example.org.
- - | Roman Drahtmüller email@example.com // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -