tcpdump allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packet data. The crash occurs in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol. Product bug: https://bugzilla.redhat.com/show_bug.cgi?id=1468504
Created tcpdump tracking bugs for this issue: Affects: fedora-all [bug 1472879]
According to NVD, CVSSv3 score is actually 7.5, not 3.3: https://nvd.nist.gov/vuln/detail/CVE-2017-11108 CVSS v3 Base Score: 7.5 High Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Impact Score: 3.6 Exploitability Score: 3.9 Could you reconsider?
(In reply to Dominik Mierzejewski from comment #2) > According to NVD, CVSSv3 score is actually 7.5, not 3.3: > https://nvd.nist.gov/vuln/detail/CVE-2017-11108 > > CVSS v3 Base Score: > 7.5 High > Vector: > CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > Impact Score: > 3.6 > Exploitability Score: > 3.9 > > Could you reconsider? Hello Dominik, NVD has a habit of assuming the worst case scenario even where it's very improbable. A discussion in the upstream bug agrees with us that this should not concern well configured deployments. An attacker would have to be on the same L2 link, and have permission by the switching fabric to send STP packets. We don't plan to fix this asynchronously as of now.
Thank you for the clarification, Andrej.
This issue was addressed in Red Hat Enterprise Linux 7 via RHEA-2018:0705, which rebased tcpdump to 4.9.2: https://access.redhat.com/errata/RHEA-2018:0705