Vulnerabilities > CVE-2007-1218 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Tcpdump

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

tcpdump

CWE-119

nessus

NVD

Published: 2007-03-02

Updated: 2017-10-11

Summary

Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.

Vulnerable Configurations

Part	Description	Count
Application	Tcpdump Tcpdump Tcpdump 3.5.1 Tcpdump Tcpdump 3.5.2 Tcpdump Tcpdump 3.6.1 Tcpdump Tcpdump 3.6.2 Tcpdump Tcpdump 3.6.3 Tcpdump Tcpdump 3.7.1 Tcpdump Tcpdump 3.7.2 Tcpdump Tcpdump 3.8.1 Tcpdump Tcpdump 3.8.2 Tcpdump Tcpdump 3.8.3 Tcpdump Tcpdump 3.9.1 Tcpdump Tcpdump 3.9.2 Tcpdump Tcpdump 3.9.3 Tcpdump Tcpdump 3.9.5	14

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_SECUPD2007-009.NASL
description	The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs.
last seen	2020-06-01
modified	2020-06-02
plugin id	29723
published	2007-12-18
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/29723
title	Mac OS X Multiple Vulnerabilities (Security Update 2007-009)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29723); script_version("1.27"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2006-0024", "CVE-2007-1218", "CVE-2007-1659", "CVE-2007-1660", "CVE-2007-1661", "CVE-2007-1662", "CVE-2007-3798", "CVE-2007-3876", "CVE-2007-4131", "CVE-2007-4351", "CVE-2007-4572", "CVE-2007-4708", "CVE-2007-4709", "CVE-2007-4710", "CVE-2007-4766", "CVE-2007-4767", "CVE-2007-4768", "CVE-2007-4965", "CVE-2007-5116", "CVE-2007-5379", "CVE-2007-5380", "CVE-2007-5398", "CVE-2007-5476", "CVE-2007-5770", "CVE-2007-5847", "CVE-2007-5848", "CVE-2007-5849", "CVE-2007-5850", "CVE-2007-5851", "CVE-2007-5853", "CVE-2007-5854", "CVE-2007-5855", "CVE-2007-5856", "CVE-2007-5857", "CVE-2007-5858", "CVE-2007-5859", "CVE-2007-5860", "CVE-2007-5861", "CVE-2007-5863", "CVE-2007-6077", "CVE-2007-6165"); script_bugtraq_id(17106, 22772, 24965, 25417, 25696, 26096, 26268, 26274, 26346, 26350, 26421, 26454, 26455, 26510, 26598, 26908, 26910, 26926); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2007-009)"); script_summary(english:"Check for the presence of Security Update 2007-009"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs."); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=307179"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/13649"); script_set_attribute(attribute:"solution", value:"Install Security Update 2007-009."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mail.app Image Attachment Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(16, 20, 22, 79, 119, 134, 189, 200, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if ( ! uname ) exit(0); if ( egrep(pattern:"Darwin.* (8\.[0-9]\.\|8\.1[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?(2007-009\|200[89]-\|20[1-9][0-9]-)", string:packages)) security_hole(0); } else if ( egrep(pattern:"Darwin.* (9\.[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages/boms"); if ( ! packages ) exit(0); if ( !egrep(pattern:"^com\.apple\.pkg\.update\.security\.2007\.009\.bom", string:packages) ) security_hole(0); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2007-0368.NASL
description	Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump
last seen	2020-06-01
modified	2020-06-02
plugin id	27828
published	2007-11-08
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/27828
title	RHEL 5 : tcpdump (RHSA-2007:0368)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0368. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(27828); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2007-1218", "CVE-2007-3798"); script_bugtraq_id(24965); script_xref(name:"RHSA", value:"2007:0368"); script_name(english:"RHEL 5 : tcpdump (RHSA-2007:0368)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * The arpwatch service initialization script would exit prematurely, returning an incorrect successful exit status and preventing the status command from running in case networking is not available. * Tcpdump would not drop root privileges completely when launched with the -C option. This might have been abused by an attacker to gain root privileges in case a security problem was found in tcpdump. Users of tcpdump are encouraged to specify meaningful arguments to the -Z option in case they want tcpdump to write files with privileges other than of the pcap user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-1218" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-3798" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0368" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:arpwatch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpcap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libpcap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0368"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"arpwatch-2.1a13-18.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"arpwatch-2.1a13-18.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"arpwatch-2.1a13-18.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"libpcap-0.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"libpcap-devel-0.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"tcpdump-3.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"tcpdump-3.9.4-11.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"tcpdump-3.9.4-11.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / libpcap-devel / tcpdump"); } }

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20071115_TCPDUMP_ON_SL4_X.NASL
description	Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump
last seen	2020-06-01
modified	2020-06-02
plugin id	60310
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60310
title	Scientific Linux Security Update : tcpdump on SL4.x i386/x86_64
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60310); script_version("1.5"); script_cvs_date("Date: 2019/10/25 13:36:17"); script_cve_id("CVE-2007-1218", "CVE-2007-3798"); script_name(english:"Scientific Linux Security Update : tcpdump on SL4.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : - if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. - the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0711&L=scientific-linux-errata&T=0&P=4200 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?38b74fcf" ); script_set_attribute( attribute:"solution", value:"Update the affected arpwatch, libpcap and / or tcpdump packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL4", reference:"arpwatch-2.1a13-12.el4")) flag++; if (rpm_check(release:"SL4", reference:"libpcap-0.8.3-12.el4")) flag++; if (rpm_check(release:"SL4", reference:"tcpdump-3.8.2-12.el4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2007-0387.NASL
description	Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump
last seen	2020-06-01
modified	2020-06-02
plugin id	67051
published	2013-06-29
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67051
title	CentOS 4 : tcpdump (CESA-2007:0387)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0387 and # CentOS Errata and Security Advisory 2007:0387 respectively. # include("compat.inc"); if (description) { script_id(67051); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2007-1218", "CVE-2007-3798"); script_bugtraq_id(24965); script_xref(name:"RHSA", value:"2007:0387"); script_name(english:"CentOS 4 : tcpdump (CESA-2007:0387)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. * the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2007-November/014424.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d51143c9" ); script_set_attribute( attribute:"solution", value:"Update the affected tcpdump packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:arpwatch"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libpcap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"arpwatch-2.1a13-12.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"libpcap-0.8.3-12.el4")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"tcpdump-3.8.2-12.el4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arpwatch / libpcap / tcpdump"); }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2007-056.NASL
description	Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. Updated packages have been patched to address this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	24806
published	2007-03-12
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24806
title	Mandrake Linux Security Advisory : tcpdump (MDKSA-2007:056)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:056. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24806); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2007-1218"); script_xref(name:"MDKSA", value:"2007:056"); script_name(english:"Mandrake Linux Security Advisory : tcpdump (MDKSA-2007:056)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. Updated packages have been patched to address this issue." ); script_set_attribute( attribute:"solution", value:"Update the affected tcpdump package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(119,189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2007/03/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"tcpdump-3.9.3-1.3.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2007.0", reference:"tcpdump-3.9.4-1.1mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2007-347.NASL
description	- Thu Mar 15 2007 Miroslav Lichvar <mlichvar at redhat.com> - 14:3.9.4-10.fc6 - fix buffer overflow in 802.11 printer (#232349, CVE-2007-1218) - require /usr/sbin/sendmail (#232363) - Fri Nov 17 2006 Miroslav Lichvar <mlichvar at redhat.com> - 14:3.9.4-9 - fix processing of Prism and AVS headers (#206686) - fix arp2ethers script - update ethercodes.dat - move pcap man page to devel package Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	24836
published	2007-03-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24836
title	Fedora Core 6 : tcpdump-3.9.4-10.fc6 (2007-347)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20071109_TCPDUMP_ON_SL5_X.NASL
description	Problem description : Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump
last seen	2020-06-01
modified	2020-06-02
plugin id	60299
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60299
title	Scientific Linux Security Update : tcpdump on SL5.x i386/x86_64

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2007-0387.NASL
description	Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump
last seen	2020-06-01
modified	2020-06-02
plugin id	28235
published	2007-11-16
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/28235
title	RHEL 4 : tcpdump (RHSA-2007:0387)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2007-155.NASL
description	Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. Updated packages have been patched to prevent this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	36699
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/36699
title	Mandrake Linux Security Advisory : tcpdump (MDKSA-2007:155)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1272.NASL
description	Moritz Jodeit discovered an off-by-one buffer overflow in tcpdump, a powerful tool for network monitoring and data acquisition, which allows denial of service.
last seen	2020-06-01
modified	2020-06-02
plugin id	24881
published	2007-03-26
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24881
title	Debian DSA-1272-1 : tcpdump - buffer overflow

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-429-1.NASL
description	Moritz Jodeit discovered that tcpdump had an overflow in the 802.11 packet parser. Remote attackers could send specially crafted packets, crashing tcpdump, possibly leading to a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	28023
published	2007-11-10
reporter	Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/28023
title	Ubuntu 5.10 / 6.06 LTS / 6.10 : tcpdump vulnerability (USN-429-1)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2007-348.NASL
description	- Thu Mar 15 2007 Miroslav Lichvar <mlichvar at redhat.com> - 14:3.9.4-4.fc5 - fix buffer overflow in 802.11 printer (#232349, CVE-2007-1218) - require /usr/sbin/sendmail (#232363) - Wed Nov 8 2006 Miroslav Lichvar <mlichvar at redhat.com> - 14:3.9.4-3.fc5 - fix processing of Prism and AVS headers (#207435) - fix arp2ethers script - update ethercodes.dat Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	24837
published	2007-03-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24837
title	Fedora Core 5 : tcpdump-3.9.4-4.fc5 (2007-348)

Oval

accepted

2013-04-29T04:19:57.436-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:9520

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

rhsa
id RHSA-2007:0368
rhsa
id RHSA-2007:0387

rpms

arpwatch-14:2.1a13-18.el5
libpcap-14:0.9.4-11.el5
libpcap-devel-14:0.9.4-11.el5
tcpdump-14:3.9.4-11.el5
tcpdump-debuginfo-14:3.9.4-11.el5
arpwatch-14:2.1a13-12.el4
libpcap-14:0.8.3-12.el4
tcpdump-14:3.8.2-12.el4
tcpdump-debuginfo-14:3.8.2-12.el4

Statements

contributor	Mark J Cox
lastmodified	2007-05-11
organization	Red Hat
statement	Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232347 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Oval

Redhat

Statements

References