This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1472878 - (CVE-2017-11108) CVE-2017-11108 tcpdump: Heap buffer overflow in the EXTRACT_16BITS function
CVE-2017-11108 tcpdump: Heap buffer overflow in the EXTRACT_16BITS function
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20170707,reported=2...
: Security
Depends On: 1472879
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-19 11:08 EDT by Andrej Nemec
Modified: 2017-09-05 06:45 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-19 11:09:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-07-19 11:08:10 EDT
tcpdump allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. 

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1468504
Comment 1 Andrej Nemec 2017-07-19 11:08:40 EDT
Created tcpdump tracking bugs for this issue:

Affects: fedora-all [bug 1472879]
Comment 2 Dominik Mierzejewski 2017-09-05 04:21:32 EDT
According to NVD, CVSSv3 score is actually 7.5, not 3.3:
https://nvd.nist.gov/vuln/detail/CVE-2017-11108

CVSS v3 Base Score:
    7.5 High 
Vector:
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
Impact Score:
    3.6 
Exploitability Score:
    3.9 

Could you reconsider?
Comment 3 Andrej Nemec 2017-09-05 06:02:38 EDT
(In reply to Dominik Mierzejewski from comment #2)
> According to NVD, CVSSv3 score is actually 7.5, not 3.3:
> https://nvd.nist.gov/vuln/detail/CVE-2017-11108
> 
> CVSS v3 Base Score:
>     7.5 High 
> Vector:
>     CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
> Impact Score:
>     3.6 
> Exploitability Score:
>     3.9 
> 
> Could you reconsider?

Hello Dominik,

NVD has a habit of assuming the worst case scenario even where it's very improbable. A discussion in the upstream bug agrees with us that this should not concern well configured deployments. 

An attacker would have to be on the same L2 link, and have permission by the switching fabric to send STP packets. We don't plan to fix this asynchronously as of now.
Comment 4 Dominik Mierzejewski 2017-09-05 06:45:56 EDT
Thank you for the clarification, Andrej.

Note You need to log in before you can comment on or make changes to this bug.