TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.

Chad Loder has discovered vulnerabilities in tcpdump's ISAKMP protocol handler. During an audit to repair these issues, Bill Fenner discovered some related problems.

These vulnerabilities may be used by an attacker to crash a running `tcpdump' process. They can only be triggered if the `-v' command line option is being used.

NOTE: the racoon ISAKMP/IKE daemon incorporates the ISAKMP protocol handler from tcpdump, and so is also affected by this issue.

Upgraded tcpdump packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix denial-of-service issues. Sites using tcpdump should upgrade to the new packages.

tcpdump, a tool for network monitoring and data acquisition, was found to contain two vulnerabilities whereby tcpdump could be caused to crash through attempts to read from invalid memory locations. This bug is triggered by certain invalid ISAKMP packets.

The remote host is missing Security Update 2004-09-07.  This security update fixes the following components :

  - CoreFoundation
  - IPSec
  - Kerberos
  - libpcap
  - lukemftpd
  - NetworkConfig
  - OpenLDAP
  - OpenSSH
  - PPPDialer
  - rsync
  - Safari
  - tcpdump

These applications contain multiple vulnerabilities that may allow a remote attacker to execute arbitrary code.

A number of vulnerabilities were discovered in tcpdump versions prior to 3.8.1 that, if fed a maliciously crafted packet, could be exploited to crash tcpdump. These vulnerabilities include :

Remote attackers can cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read. (CVE-2004-1083)

Integer underflow in the isakmp_id_print allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read.
(CVE-2004-0184)

The updated packages are patched to correct these problems.

Updated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in ISAKMP parsing.

Tcpdump is a command-line tool for monitoring network traffic.

Tcpdump v3.8.1 and earlier versions contained multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP would try to read beyond the end of the packet capture buffer and subsequently crash.

Users of tcpdump are advised to upgrade to these erratum packages, which contain backported security patches and are not vulnerable to these issues.

ID	Name	Product	Family	Severity
19180	FreeBSD : tcpdump ISAKMP payload handling remote denial-of-service (f8551668-de09-4d7b-9720-f1360929df07)	Nessus	FreeBSD Local Security Checks	medium
18783	Slackware 8.1 / 9.0 / 9.1 / current : tcpdump denial of service (SSA:2004-108-01)	Nessus	Slackware Local Security Checks	medium
15315	Debian DSA-478-1 : tcpdump - denial of service	Nessus	Debian Local Security Checks	medium
14676	Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)	Nessus	MacOS X Local Security Checks	high
14129	Mandrake Linux Security Advisory : tcpdump (MDKSA-2004:030)	Nessus	Mandriva Local Security Checks	medium
12498	RHEL 2.1 / 3 : tcpdump (RHSA-2004:219)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2004-0183

high

Tenable Plugins

medium

medium

medium

high

medium

medium