Vulnerabilities > CVE-2003-0093 - Denial-Of-Service vulnerability in tcpdump
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0, which causes tcpdump to generate data within an infinite loop.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-027.NASL description A vulnerability was discovered by Andrew Griffiths and iDEFENSE Labs in the tcpdump program. By sending a specially crafted network packet, an attacker is able to to cause tcpdump to enter an infinite loop. In addition, the tcpdump developers found a potential infinite loop when tcpdump parses malformed BGP packets. A buffer overflow was also discovered that can be exploited with certain malformed NFS packets. last seen 2020-06-01 modified 2020-06-02 plugin id 14011 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14011 title Mandrake Linux Security Advisory : tcpdump (MDKSA-2003:027) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:027. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14011); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1350", "CVE-2003-0093", "CVE-2003-0108", "CVE-2003-0145"); script_xref(name:"MDKSA", value:"2003:027"); script_name(english:"Mandrake Linux Security Advisory : tcpdump (MDKSA-2003:027)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered by Andrew Griffiths and iDEFENSE Labs in the tcpdump program. By sending a specially crafted network packet, an attacker is able to to cause tcpdump to enter an infinite loop. In addition, the tcpdump developers found a potential infinite loop when tcpdump parses malformed BGP packets. A buffer overflow was also discovered that can be exploited with certain malformed NFS packets." ); script_set_attribute( attribute:"solution", value: "Update the affected libpcap0, libpcap0-devel and / or tcpdump packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpcap0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpcap0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libpcap0-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libpcap0-devel-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"tcpdump-3.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpcap0-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpcap0-devel-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"tcpdump-3.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpcap0-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpcap0-devel-0.7.2-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"tcpdump-3.7.2-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-033.NASL description Updated tcpdump, libpcap, and arpwatch packages are available to fix an incorrect bounds check when decoding BGP packets and a possible denial of service. Tcpdump is a command-line tool for monitoring network traffic. The BGP decoding routines in tcpdump before version 3.6.2 used incorrect bounds checking when copying data, which allows remote attackers to cause a denial of service and possibly execute arbitrary code (as the last seen 2020-06-01 modified 2020-06-02 plugin id 12358 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12358 title RHEL 2.1 : tcpdump (RHSA-2003:033) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:033. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12358); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-1350", "CVE-2003-0093"); script_xref(name:"RHSA", value:"2003:033"); script_name(english:"RHEL 2.1 : tcpdump (RHSA-2003:033)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated tcpdump, libpcap, and arpwatch packages are available to fix an incorrect bounds check when decoding BGP packets and a possible denial of service. Tcpdump is a command-line tool for monitoring network traffic. The BGP decoding routines in tcpdump before version 3.6.2 used incorrect bounds checking when copying data, which allows remote attackers to cause a denial of service and possibly execute arbitrary code (as the 'pcap' user). If a UDP packet from a radius port contains 0 at the second byte tcpdump gets stuck in a loop that generating an infinite stream of '#0#0#0#0#0'. This could be used as a denial of service. Users of tcpdump are advised to upgrade to these errata packages which contain patches to correct thes issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-1350" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0093" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:033" ); script_set_attribute( attribute:"solution", value:"Update the affected arpwatch, libpcap and / or tcpdump packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:arpwatch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpcap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2003/02/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:033"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"arpwatch-2.1a11-12.2.1AS.1")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libpcap-0.6.2-12.2.1AS.1")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"tcpdump-3.6.2-12.2.1AS.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / tcpdump"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-261.NASL description A problem has been discovered in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted RADIUS network packet which causes tcpdump to enter an infinite loop. last seen 2020-06-01 modified 2020-06-02 plugin id 15098 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15098 title Debian DSA-261-1 : tcpdump - infinite loop code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-261. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15098); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0093", "CVE-2003-0145"); script_xref(name:"DSA", value:"261"); script_name(english:"Debian DSA-261-1 : tcpdump - infinite loop"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A problem has been discovered in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted RADIUS network packet which causes tcpdump to enter an infinite loop." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-261" ); script_set_attribute( attribute:"solution", value: "Upgrade the tcpdump package. For the stable distribution (woody) this problem has been fixed in version 3.6.2-2.4. The old stable distribution (potato) does not seem to be affected by this problem." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"tcpdump", reference:"3.6.2-2.4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
| advisories |
|
References
- http://www.debian.org/security/2003/dsa-261
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:027
- http://www.redhat.com/support/errata/RHSA-2003-032.html
- http://www.redhat.com/support/errata/RHSA-2003-033.html
- http://www.redhat.com/support/errata/RHSA-2003-214.html
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=81585
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11324