Vulnerabilities > CVE-2004-0055 - Denial Of Service vulnerability in TCPDump Malformed RADIUS Packet

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
lbl
nessus

Summary

The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.

Vulnerable Configurations

Part Description Count
Application
Lbl
4

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-008.NASL
    descriptionUpdated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in ISAKMP and RADIUS parsing. [Updated 15 Jan 2004] Updated the text description to better describe the vulnerabilities found by Jonathan Heusser and give them CVE names. Tcpdump is a command-line tool for monitoring network traffic. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these pakets could result in a denial of service, or possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id12448
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12448
    titleRHEL 2.1 / 3 : tcpdump (RHSA-2004:008)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:008. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12448);
      script_version ("1.28");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2003-0989", "CVE-2004-0055", "CVE-2004-0057");
      script_xref(name:"RHSA", value:"2004:008");
    
      script_name(english:"RHEL 2.1 / 3 : tcpdump (RHSA-2004:008)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in
    ISAKMP and RADIUS parsing.
    
    [Updated 15 Jan 2004] Updated the text description to better describe
    the vulnerabilities found by Jonathan Heusser and give them CVE names.
    
    Tcpdump is a command-line tool for monitoring network traffic.
    
    George Bakos discovered flaws in the ISAKMP decoding routines of
    tcpdump versions prior to 3.8.1. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2003-0989
    to this issue.
    
    Jonathan Heusser discovered an additional flaw in the ISAKMP decoding
    routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2004-0057
    to this issue.
    
    Jonathan Heusser discovered a flaw in the print_attr_string function
    in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2004-0055 to this issue.
    
    Remote attackers could potentially exploit these issues by sending
    carefully-crafted packets to a victim. If the victim uses tcpdump,
    these pakets could result in a denial of service, or possibly execute
    arbitrary code as the 'pcap' user.
    
    Users of tcpdump are advised to upgrade to these erratum packages,
    which contain backported security patches and are not vulnerable to
    these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0989"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0055"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0057"
      );
      # http://marc.theaimsgroup.com/?l=tcpdump-workers&m=107325073018070
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=tcpdump-workers&m=107325073018070"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:008"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected arpwatch, libpcap and / or tcpdump packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:arpwatch");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpcap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tcpdump");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/02/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:008";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"arpwatch-2.1a11-12.2.1AS.5")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"libpcap-0.6.2-12.2.1AS.5")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"tcpdump-3.6.2-12.2.1AS.5")) flag++;
    
      if (rpm_check(release:"RHEL3", cpu:"i386", reference:"libpcap-0.7.2-7.E3.1")) flag++;
      if (rpm_check(release:"RHEL3", cpu:"i386", reference:"tcpdump-3.7.2-7.E3.1")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / tcpdump");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-425.NASL
    descriptionMultiple vulnerabilities were discovered in tcpdump, a tool for inspecting network traffic. If a vulnerable version of tcpdump attempted to examine a maliciously constructed packet, a number of buffer overflows could be exploited to crash tcpdump, or potentially execute arbitrary code with the privileges of the tcpdump process. - CAN-2003-1029 - infinite loop and memory consumption in processing L2TP packets - CAN-2003-0989, CAN-2004-0057 - infinite loops in processing ISAKMP packets - CAN-2004-0055 - segmentation fault caused by a RADIUS attribute with a large length value
    last seen2020-06-01
    modified2020-06-02
    plugin id15262
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15262
    titleDebian DSA-425-1 : tcpdump - multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-425. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15262);
      script_version("1.28");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0989", "CVE-2003-1029", "CVE-2004-0055", "CVE-2004-0057");
      script_bugtraq_id(9263, 9507);
      script_xref(name:"CERT", value:"174086");
      script_xref(name:"CERT", value:"738518");
      script_xref(name:"CERT", value:"955526");
      script_xref(name:"DSA", value:"425");
    
      script_name(english:"Debian DSA-425-1 : tcpdump - multiple vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities were discovered in tcpdump, a tool for
    inspecting network traffic. If a vulnerable version of tcpdump
    attempted to examine a maliciously constructed packet, a number of
    buffer overflows could be exploited to crash tcpdump, or potentially
    execute arbitrary code with the privileges of the tcpdump process.
    
      - CAN-2003-1029 - infinite loop and memory consumption in
        processing L2TP packets
      - CAN-2003-0989, CAN-2004-0057 - infinite loops in
        processing ISAKMP packets
    
      - CAN-2004-0055 - segmentation fault caused by a RADIUS
        attribute with a large length value"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-425"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the current stable distribution (woody) these problems have been
    fixed in version 3.6.2-2.7.
    
    
    We recommend that you update your tcpdump package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tcpdump");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"tcpdump", reference:"3.6.2-2.7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-008.NASL
    descriptionA number of vulnerabilities were discovered in tcpdump versions prior to 3.8.1 that, if fed a maliciously crafted packet, could be exploited to crash tcpdump or potentially execute arbitrary code with the privileges of the user running tcpdump. These vulnerabilities include : An infinite loop and memory consumption processing L2TP packets (CVE-2003-1029). Infinite loops in processing ISAKMP packets (CVE-2003-0989, CVE-2004-0057). A segmentation fault caused by a RADIUS attribute with a large length value (CVE-2004-0055). The updated packages are patched to correct these problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id14108
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14108
    titleMandrake Linux Security Advisory : tcpdump (MDKSA-2004:008)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2004:008. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14108);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2003-0989", "CVE-2003-1029", "CVE-2004-0055", "CVE-2004-0057");
      script_xref(name:"MDKSA", value:"2004:008");
    
      script_name(english:"Mandrake Linux Security Advisory : tcpdump (MDKSA-2004:008)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A number of vulnerabilities were discovered in tcpdump versions prior
    to 3.8.1 that, if fed a maliciously crafted packet, could be exploited
    to crash tcpdump or potentially execute arbitrary code with the
    privileges of the user running tcpdump. These vulnerabilities 
    include :
    
    An infinite loop and memory consumption processing L2TP packets
    (CVE-2003-1029).
    
    Infinite loops in processing ISAKMP packets (CVE-2003-0989,
    CVE-2004-0057).
    
    A segmentation fault caused by a RADIUS attribute with a large length
    value (CVE-2004-0055).
    
    The updated packages are patched to correct these problem."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected tcpdump package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:tcpdump");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/01/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"tcpdump-3.7.2-2.1.91mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.2", reference:"tcpdump-3.7.2-2.1.92mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-090.NASL
    descriptionUpdated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in ISAKMP and RADIUS parsing. Tcpdump is a command-line tool for monitoring network traffic. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these pakets could result in a denial of service, or possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id13682
    published2004-07-23
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13682
    titleFedora Core 1 : tcpdump-3.7.2-7.fc1.1 (2004-090)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2004-090.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13682);
      script_version ("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:23");
    
      script_cve_id("CVE-2003-0989", "CVE-2004-0055", "CVE-2004-0057");
      script_xref(name:"FEDORA", value:"2004-090");
    
      script_name(english:"Fedora Core 1 : tcpdump-3.7.2-7.fc1.1 (2004-090)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in
    ISAKMP and RADIUS parsing.
    
    Tcpdump is a command-line tool for monitoring network traffic.
    
    George Bakos discovered flaws in the ISAKMP decoding routines of
    tcpdump versions prior to 3.8.1. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2003-0989
    to this issue.
    
    Jonathan Heusser discovered an additional flaw in the ISAKMP decoding
    routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2004-0057
    to this issue.
    
    Jonathan Heusser discovered a flaw in the print_attr_string function
    in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2004-0055 to this issue.
    
    Remote attackers could potentially exploit these issues by sending
    carefully-crafted packets to a victim. If the victim uses tcpdump,
    these pakets could result in a denial of service, or possibly execute
    arbitrary code as the 'pcap' user.
    
    Users of tcpdump are advised to upgrade to these erratum packages,
    which contain backported security patches and are not vulnerable to
    these issues.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2004-March/000081.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7158213d"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:arpwatch");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpcap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:tcpdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:tcpdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"arpwatch-2.1a11-7.fc1.1")) flag++;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"libpcap-0.7.2-7.fc1.1")) flag++;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"tcpdump-3.7.2-7.fc1.1")) flag++;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"tcpdump-debuginfo-3.7.2-7.fc1.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / tcpdump / tcpdump-debuginfo");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-092.NASL
    descriptionUpdated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in ISAKMP and RADIUS parsing. Tcpdump is a command-line tool for monitoring network traffic. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0055 to this issue. Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these pakets could result in a denial of service, or possibly execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id13683
    published2004-07-23
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13683
    titleFedora Core 1 : tcpdump-3.7.2-8.fc1.1 (2004-092)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2004-092.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13683);
      script_version ("1.21");
      script_cvs_date("Date: 2019/08/02 13:32:23");
    
      script_cve_id("CVE-2003-0989", "CVE-2004-0055", "CVE-2004-0057");
      script_xref(name:"FEDORA", value:"2004-092");
    
      script_name(english:"Fedora Core 1 : tcpdump-3.7.2-8.fc1.1 (2004-092)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in
    ISAKMP and RADIUS parsing.
    
    Tcpdump is a command-line tool for monitoring network traffic.
    
    George Bakos discovered flaws in the ISAKMP decoding routines of
    tcpdump versions prior to 3.8.1. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2003-0989
    to this issue.
    
    Jonathan Heusser discovered an additional flaw in the ISAKMP decoding
    routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2004-0057
    to this issue.
    
    Jonathan Heusser discovered a flaw in the print_attr_string function
    in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2004-0055 to this issue.
    
    Remote attackers could potentially exploit these issues by sending
    carefully-crafted packets to a victim. If the victim uses tcpdump,
    these pakets could result in a denial of service, or possibly execute
    arbitrary code as the 'pcap' user.
    
    Users of tcpdump are advised to upgrade to these erratum packages,
    which contain backported security patches and are not vulnerable to
    these issues.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2004-March/000084.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1a86e0f3"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:arpwatch");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libpcap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:tcpdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:tcpdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"arpwatch-2.1a11-8.fc1.1")) flag++;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"libpcap-0.7.2-8.fc1.1")) flag++;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"tcpdump-3.7.2-8.fc1.1")) flag++;
    if (rpm_check(release:"FC1", cpu:"i386", reference:"tcpdump-debuginfo-3.7.2-8.fc1.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / tcpdump / tcpdump-debuginfo");
    }
    

Oval

  • accepted2007-04-25T19:53:00.525-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameThomas R. Jones
      organizationMaitreya Security
    descriptionThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.
    familyunix
    idoval:org.mitre.oval:def:850
    statusaccepted
    submitted2004-03-20T12:00:00.000-04:00
    titleRed Hat tcpdump Denial of Service via print_attr_string Function
    version38
  • accepted2007-04-25T19:53:01.098-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameThomas R. Jones
      organizationMaitreya Security
    descriptionThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.
    familyunix
    idoval:org.mitre.oval:def:853
    statusaccepted
    submitted2004-03-20T12:00:00.000-04:00
    titleRed Hat Enterprise 3 tcpdump Denial of Service via print_attr_string Function
    version38
  • accepted2013-04-29T04:23:56.229-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    descriptionThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.
    familyunix
    idoval:org.mitre.oval:def:9989
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleThe print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.
    version26

Redhat

advisories
rhsa
idRHSA-2004:008
rpms
  • arpwatch-14:2.1a11-12.2.1AS.5
  • libpcap-14:0.6.2-12.2.1AS.5
  • libpcap-14:0.7.2-7.E3.1
  • tcpdump-14:3.6.2-12.2.1AS.5
  • tcpdump-14:3.7.2-7.E3.1
  • tcpdump-debuginfo-14:3.7.2-7.E3.1

References