Bug 1472878 (CVE-2017-11108)

Summary: CVE-2017-11108 tcpdump: Heap buffer overflow in the EXTRACT_16BITS function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dominik.mierzejewski, luhliari, mruprich, msehnout, msekleta, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-19 15:09:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1472879    
Bug Blocks:    

Description Andrej Nemec 2017-07-19 15:08:10 UTC 
tcpdump allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. 

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1468504
Comment 1 Andrej Nemec 2017-07-19 15:08:40 UTC 
Created tcpdump tracking bugs for this issue:

Affects: fedora-all [bug 1472879]
Comment 2 Dominik Mierzejewski 2017-09-05 08:21:32 UTC 
According to NVD, CVSSv3 score is actually 7.5, not 3.3:
https://nvd.nist.gov/vuln/detail/CVE-2017-11108

CVSS v3 Base Score:
    7.5 High 
Vector:
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
Impact Score:
    3.6 
Exploitability Score:
    3.9 

Could you reconsider?
Comment 3 Andrej Nemec 2017-09-05 10:02:38 UTC 
(In reply to Dominik Mierzejewski from comment #2)
> According to NVD, CVSSv3 score is actually 7.5, not 3.3:
> https://nvd.nist.gov/vuln/detail/CVE-2017-11108
> 
> CVSS v3 Base Score:
>     7.5 High 
> Vector:
>     CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
> Impact Score:
>     3.6 
> Exploitability Score:
>     3.9 
> 
> Could you reconsider?

Hello Dominik,

NVD has a habit of assuming the worst case scenario even where it's very improbable. A discussion in the upstream bug agrees with us that this should not concern well configured deployments. 

An attacker would have to be on the same L2 link, and have permission by the switching fabric to send STP packets. We don't plan to fix this asynchronously as of now.
Comment 4 Dominik Mierzejewski 2017-09-05 10:45:56 UTC 
Thank you for the clarification, Andrej.
Comment 5 Doran Moppert 2018-05-16 02:36:28 UTC 
This issue was addressed in Red Hat Enterprise Linux 7 via RHEA-2018:0705, which rebased tcpdump to 4.9.2:

https://access.redhat.com/errata/RHEA-2018:0705