i386/66311: TCPDUMP ISAKMP payload handling denial-of-service Vulnerability

John R Smith advisory at servangle.net
Wed May 5 22:30:22 PDT 2004


>Number:         66311
>Category:       i386
>Synopsis:       TCPDUMP ISAKMP payload handling denial-of-service Vulnerability
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 05 22:30:21 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     John R Smith
>Release:        4.9-STABLE
>Organization:
servAngle, LLC.
>Environment:
FreeBSD nads 4.9-STABLE FreeBSD 4.9-STABLE #2: Fri Apr 20 20:58:14 HST 2004     root at nads:/usr/obj/usr/src/sys/NADS01  i386

>Description:
	TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol.  Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash.

http://www.rapid7.com/advisories/R7-0017.html

We've had to disable the tcpdump binaries on our FreeBSD systems at work (U.S. Army) to be compliant.

>How-To-Repeat:
	An ISAKMP packet with a malformed Identification payload with a self-reported payload length that becomes less than 8 when its byte order is reversed will cause TCPDUMP to crash as it tries to read from beyond the end of the snap buffer. 
>Fix:
	Upgrade to version 3.8.3 of TCPDUMP.  You should also consider upgrading to version 0.8.3 of libpcap.
>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-i386 mailing list