copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2007.0876 -- [UNIX/Linux][RedHat] -- Moderate: tcpdump security and bug fix update

Date: 08 November 2007
References: ESB-2007.0572  ESB-2007.0921  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                   ESB-2007.0876 -- [UNIX/Linux][RedHat]
               Moderate: tcpdump security and bug fix update
                              8 November 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              tcpdump
Publisher:            Red Hat
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Red Hat Linux 5
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-3798 CVE-2007-1218

Ref:                  ESB-2007.0572

Original Bulletin:    https://rhn.redhat.com/errata/RHSA-2007-0368.html

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Red Hat Linux. It is recommended that
         administrators running tcpdump check for an updated version of the
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: tcpdump security and bug fix update
Advisory ID:       RHSA-2007:0368-03
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0368.html
Issue date:        2007-11-07
Updated on:        2007-11-07
Product:           Red Hat Enterprise Linux
Keywords:          overflow crash 802.11
CVE Names:         CVE-2007-1218 CVE-2007-3798 
- - ---------------------------------------------------------------------

1. Summary:

Updated tcpdump packages that fix a security issue and functionality bugs
are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

Tcpdump is a command line tool for monitoring network traffic.

Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11
processing code. If a certain link type was explicitly specified, an
attacker could inject a carefully crafted frame onto the IEEE 802.11
network that could crash a running tcpdump session. (CVE-2007-1218)

An integer overflow flaw was found in tcpdump's BGP processing code. An
attacker could execute arbitrary code with the privilege of the pcap user
by injecting a crafted frame onto the network. (CVE-2007-3798)

In addition, the following bugs have been addressed:

* The arpwatch service initialization script would exit prematurely,
returning an incorrect successful exit status and preventing the status
command from running in case networking is not available.

* Tcpdump would not drop root privileges completely when launched with the
- - -C option. This might have been abused by an attacker to gain root
privileges in case a security problem was found in tcpdump. Users of
tcpdump are encouraged to specify meaningful arguments to the -Z option in
case they want tcpdump to write files with privileges other than of the
pcap user.

Users of tcpdump are advised to upgrade to these erratum packages, which
contain backported patches that correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

232347 - CVE-2007-1218 tcpdump denial of service
237779 - Wrong init script
241677 - tcpdump -Z -C should drop root privileges completely
250275 - CVE-2007-3798 tcpdump BGP integer overflow

6. RPMs required:

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tcpdump-3.9.4-11.el5.src.rpm
2d8a9b6ce960508362a7f9d80633b3da  tcpdump-3.9.4-11.el5.src.rpm

i386:
bf509e032af93a166ee85eb44fb9806c  libpcap-0.9.4-11.el5.i386.rpm
e1366b54fb414744f8066cda26ae1cf4  tcpdump-3.9.4-11.el5.i386.rpm
3a3db9efe4f5ba07d092013a88bf5ae4  tcpdump-debuginfo-3.9.4-11.el5.i386.rpm

x86_64:
bf509e032af93a166ee85eb44fb9806c  libpcap-0.9.4-11.el5.i386.rpm
5f5a5af8ab76663a97667d1036ec9668  libpcap-0.9.4-11.el5.x86_64.rpm
230e4421c10064f6b30666894151f545  tcpdump-3.9.4-11.el5.x86_64.rpm
3a3db9efe4f5ba07d092013a88bf5ae4  tcpdump-debuginfo-3.9.4-11.el5.i386.rpm
fe81bedaac8d616dd5174aa36ede5261  tcpdump-debuginfo-3.9.4-11.el5.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/tcpdump-3.9.4-11.el5.src.rpm
2d8a9b6ce960508362a7f9d80633b3da  tcpdump-3.9.4-11.el5.src.rpm

i386:
8a2efa5cde05859090d27899455fd8ea  arpwatch-2.1a13-18.el5.i386.rpm
e7fc87898e4d015cd6d9e3db48d9ca9f  libpcap-devel-0.9.4-11.el5.i386.rpm
3a3db9efe4f5ba07d092013a88bf5ae4  tcpdump-debuginfo-3.9.4-11.el5.i386.rpm

x86_64:
01df957f9cf7cf71afdef3649564dbb1  arpwatch-2.1a13-18.el5.x86_64.rpm
e7fc87898e4d015cd6d9e3db48d9ca9f  libpcap-devel-0.9.4-11.el5.i386.rpm
52d87731d358492ae67ae75ee92794c7  libpcap-devel-0.9.4-11.el5.x86_64.rpm
3a3db9efe4f5ba07d092013a88bf5ae4  tcpdump-debuginfo-3.9.4-11.el5.i386.rpm
fe81bedaac8d616dd5174aa36ede5261  tcpdump-debuginfo-3.9.4-11.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/tcpdump-3.9.4-11.el5.src.rpm
2d8a9b6ce960508362a7f9d80633b3da  tcpdump-3.9.4-11.el5.src.rpm

i386:
8a2efa5cde05859090d27899455fd8ea  arpwatch-2.1a13-18.el5.i386.rpm
bf509e032af93a166ee85eb44fb9806c  libpcap-0.9.4-11.el5.i386.rpm
e7fc87898e4d015cd6d9e3db48d9ca9f  libpcap-devel-0.9.4-11.el5.i386.rpm
e1366b54fb414744f8066cda26ae1cf4  tcpdump-3.9.4-11.el5.i386.rpm
3a3db9efe4f5ba07d092013a88bf5ae4  tcpdump-debuginfo-3.9.4-11.el5.i386.rpm

ia64:
4afabd661d6cdc60e129cfd97cc40a9d  arpwatch-2.1a13-18.el5.ia64.rpm
f4696ab17886456c3106756ed94158da  libpcap-0.9.4-11.el5.ia64.rpm
ca57b4643c6670b21ad4aa15b277f728  libpcap-devel-0.9.4-11.el5.ia64.rpm
4f844de6d34ff8b4f80c054e78a7088f  tcpdump-3.9.4-11.el5.ia64.rpm
fe0efc47f60a0b7292a7faa11b6bbe84  tcpdump-debuginfo-3.9.4-11.el5.ia64.rpm

ppc:
8f4f509649250ef31e2a75bb5b9ed772  arpwatch-2.1a13-18.el5.ppc.rpm
a98d4e12b603d3dda4de51f887c48218  libpcap-0.9.4-11.el5.ppc.rpm
1a1556ff29bf547645be3bbecfccdf36  libpcap-0.9.4-11.el5.ppc64.rpm
1db21646d5ecea38de52ca5210bca741  libpcap-devel-0.9.4-11.el5.ppc.rpm
24182f64ea6d93b6d7905d39fb5dcc41  libpcap-devel-0.9.4-11.el5.ppc64.rpm
e671300d796e42688d50d074e0c1b5f1  tcpdump-3.9.4-11.el5.ppc.rpm
31c3146286375aa062ac6c08ffd32fee  tcpdump-debuginfo-3.9.4-11.el5.ppc.rpm
a5a7c8f13c8102951334387a4b56ca77  tcpdump-debuginfo-3.9.4-11.el5.ppc64.rpm

s390x:
a1900619ecfb99b2bfb2db7d2b8fda0c  arpwatch-2.1a13-18.el5.s390x.rpm
e65d46956c9aabb2dc4372e89a773095  libpcap-0.9.4-11.el5.s390.rpm
8d248c1c133eef93c00d12e3e4648cc8  libpcap-0.9.4-11.el5.s390x.rpm
13d1f23310369d5702f1208f9c3d38b4  libpcap-devel-0.9.4-11.el5.s390.rpm
d3230eb608c67be9e9090f42b882e6f1  libpcap-devel-0.9.4-11.el5.s390x.rpm
e2c3146e79feeea209f2642aaa34fdb6  tcpdump-3.9.4-11.el5.s390x.rpm
3b16d216d6d5567349710f49fed21387  tcpdump-debuginfo-3.9.4-11.el5.s390.rpm
ce98f450ecdfdc58669ce05741222081  tcpdump-debuginfo-3.9.4-11.el5.s390x.rpm

x86_64:
01df957f9cf7cf71afdef3649564dbb1  arpwatch-2.1a13-18.el5.x86_64.rpm
bf509e032af93a166ee85eb44fb9806c  libpcap-0.9.4-11.el5.i386.rpm
5f5a5af8ab76663a97667d1036ec9668  libpcap-0.9.4-11.el5.x86_64.rpm
e7fc87898e4d015cd6d9e3db48d9ca9f  libpcap-devel-0.9.4-11.el5.i386.rpm
52d87731d358492ae67ae75ee92794c7  libpcap-devel-0.9.4-11.el5.x86_64.rpm
230e4421c10064f6b30666894151f545  tcpdump-3.9.4-11.el5.x86_64.rpm
3a3db9efe4f5ba07d092013a88bf5ae4  tcpdump-debuginfo-3.9.4-11.el5.i386.rpm
fe81bedaac8d616dd5174aa36ede5261  tcpdump-debuginfo-3.9.4-11.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1218
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHMeUBXlSAg2UNWIIRAtP5AJ9TbdZGXzZxIGcVNxnj0ZbNz6WcRACgtJ/L
gcpBNPO8jhuHmsSPiAwQkLM=
=Rb2l
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRzJIjCh9+71yA2DNAQKKtgP+K/Idwo/G8WD4YqhZknPvHmJvga38ibVB
RyC92hg90N+XX2USd3S84vhauWraDSkhcwpf2fODxMdjAtGcj86rckk5vwOTqHYi
P+DQiZeq36NiID5FnAL5aiOTSgMDYKYuqJ9NeHmzT1KPpsENzbJqP4KcQv+wb7wc
rEhOpl6SoEQ=
=Isfl
-----END PGP SIGNATURE-----