Vulnerabilities > CVE-2014-9140 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Redhat Tcpdump
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-102.NASL description Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service, leaking sensitive information from memory or, potentially, execution of arbitrary code. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-03-26 plugin id 82086 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82086 title Debian DLA-102-1 : tcpdump security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-102-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(82086); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-8767", "CVE-2014-8769", "CVE-2014-9140"); script_bugtraq_id(71150, 71153, 71468); script_name(english:"Debian DLA-102-1 : tcpdump security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service, leaking sensitive information from memory or, potentially, execution of arbitrary code. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2014/12/msg00005.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/tcpdump" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected tcpdump package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"tcpdump", reference:"4.1.1-1+deb6u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3086.NASL description Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service, leaking sensitive information from memory or, potentially, execution of arbitrary code. last seen 2020-03-17 modified 2014-12-04 plugin id 79697 published 2014-12-04 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79697 title Debian DSA-3086-1 : tcpdump - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3086. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(79697); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-8767", "CVE-2014-8769", "CVE-2014-9140"); script_bugtraq_id(71150, 71153); script_xref(name:"DSA", value:"3086"); script_name(english:"Debian DSA-3086-1 : tcpdump - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service, leaking sensitive information from memory or, potentially, execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770424" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770434" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/tcpdump" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-3086" ); script_set_attribute( attribute:"solution", value: "Upgrade the tcpdump packages. For the stable distribution (wheezy), these problems have been fixed in version 4.3.0-1+deb7u1. For the upcoming stable distribution (jessie), these problems have been fixed in version 4.6.2-3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tcpdump"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"tcpdump", reference:"4.3.0-1+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-240.NASL description Updated tcpdump package fixes security vulnerabilities : The Tcpdump program could crash when processing a malformed OLSR payload when the verbose output flag was set (CVE-2014-8767). The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol in Tcpdump fails to perform input validation and performs unsafe out-of-bound accesses. The application will usually not crash, but perform out-of-bounds accesses and output/leak larger amounts of invalid data, which might lead to dropped packets. It is unknown if a payload exists that might trigger segfaults (CVE-2014-8769). It was discovered that tcpdump incorrectly handled printing PPP packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9140). last seen 2020-06-01 modified 2020-06-02 plugin id 79985 published 2014-12-15 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79985 title Mandriva Linux Security Advisory : tcpdump (MDVSA-2014:240) NASL family SuSE Local Security Checks NASL id SUSE_11_TCPDUMP-150320.NASL description When running tcpdump, a remote unauthenticated user could have crashed the application or, potentially, execute arbitrary code by injecting crafted packages into the network. The following vulnerabilities in protocol printers have been fixed : - IPv6 mobility printer remote DoS. (CVE-2015-0261, bnc#922220) - Ethernet printer remote DoS. (CVE-2015-2154, bnc#922222) - PPP printer remote DoS (CVE-2014-9140, bnc#923142) last seen 2020-06-01 modified 2020-06-02 plugin id 82658 published 2015-04-09 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82658 title SuSE 11.3 Security Update : tcpdump (SAT Patch Number 10509) NASL family Fedora Local Security Checks NASL id FEDORA_2014-16861.NASL description Fix for CVE-2014-9140 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-12-18 plugin id 80092 published 2014-12-18 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80092 title Fedora 20 : tcpdump-4.5.1-3.fc20 (2014-16861) NASL family MacOS X Local Security Checks NASL id MACOSX_10_10_5.NASL description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 85408 published 2015-08-17 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85408 title Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-125.NASL description Updated tcpdump package fixes security vulnerabilities : The Tcpdump program could crash when processing a malformed OLSR payload when the verbose output flag was set (CVE-2014-8767). The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol in Tcpdump fails to perform input validation and performs unsafe out-of-bound accesses. The application will usually not crash, but perform out-of-bounds accesses and output/leak larger amounts of invalid data, which might lead to dropped packets. It is unknown if a payload exists that might trigger segfaults (CVE-2014-8769). It was discovered that tcpdump incorrectly handled printing PPP packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9140). Several vulnerabilities have been discovered in tcpdump. These vulnerabilities might result in denial of service (application crash) or, potentially, execution of arbitrary code (CVE-2015-0261, CVE-2015-2153, CVE-2015-2154, CVE-2015-2155). last seen 2020-06-01 modified 2020-06-02 plugin id 82378 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82378 title Mandriva Linux Security Advisory : tcpdump (MDVSA-2015:125) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201502-05.NASL description The remote host is affected by the vulnerability described in GLSA-201502-05 (tcpdump: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in tcpdump: The olsr_print function function contains an integer underflow error (CVE-2014-8767) The geonet_print function function contains multiple integer underflow errors (CVE-2014-8768) The decoder for the Ad hoc On-Demand Distance Vector protocol contains an out-of-bounds memory access error (CVE-2014-8769) The ppp_hdlc function contains a buffer overflow error (CVE-2014-9140) Impact : A remote attacker may be able to send a specially crafted packet, possibly resulting in execution of arbitrary code or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 81228 published 2015-02-09 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81228 title GLSA-201502-05 : tcpdump: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2014-16823.NASL description Fix for CVE-2014-9140 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-01-08 plugin id 80403 published 2015-01-08 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80403 title Fedora 21 : tcpdump-4.6.2-3.fc21 (2014-16823) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-267.NASL description tcpdump was updated to fix five vulnerabilities in protocol printers When running tcpdump, a remote unauthenticated user could have crashed the application or, potentially, execute arbitrary code by injecting crafted packages into the network. The following vulnerabilities were fixed : - IPv6 mobility printer remote DoS (CVE-2015-0261, bnc#922220) - PPP printer remote DoS (CVE-2014-9140, bnc#923142) - force printer remote DoS (CVE-2015-2155, bnc#922223) - ethernet printer remote DoS (CVE-2015-2154, bnc#922222) - tcp printer remote DoS (CVE-2015-2153, bnc#922221) last seen 2020-06-05 modified 2015-03-30 plugin id 82425 published 2015-03-30 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82425 title openSUSE Security Update : tcpdump (openSUSE-2015-267) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2433-1.NASL description Steffen Bauch discovered that tcpdump incorrectly handled printing OSLR packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-8767) Steffen Bauch discovered that tcpdump incorrectly handled printing GeoNet packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-8768) Steffen Bauch discovered that tcpdump incorrectly handled printing AODV packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, reveal sensitive information, or possibly execute arbitrary code. (CVE-2014-8769) It was discovered that tcpdump incorrectly handled printing PPP packets. A remote attacker could use this issue to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-9140) In the default installation, attackers would be isolated by the tcpdump AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 79741 published 2014-12-05 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79741 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : tcpdump vulnerabilities (USN-2433-1)
References
- http://advisories.mageia.org/MGASA-2014-0511.html
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2015-03/msg00084.html
- http://packetstormsecurity.com/files/130730/tcpdump-Denial-Of-Service-Code-Execution.html
- http://seclists.org/tcpdump/2014/q4/72
- http://www.debian.org/security/2014/dsa-3086
- http://www.debian.org/security/2015/dsa-3193
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:240
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:125
- http://www.securityfocus.com/archive/1/534829/100/0/threaded
- http://www.securityfocus.com/bid/71468
- http://www.ubuntu.com/usn/USN-2433-1
- https://github.com/the-tcpdump-group/tcpdump/commit/0f95d441e4b5d7512cc5c326c8668a120e048eda
- https://support.apple.com/kb/HT205031