openSUSE-SU-2019:2344

openSUSE-SU-2019:2348

https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES

https://github.com/the-tcpdump-group/tcpdump/commit/af2cf04a9394c1a56227c2289ae8da262828294a

[debian-lts-announce] 20191011 [SECURITY] [DLA 1955-1] tcpdump security update

FEDORA-2019-6db0d5b9d9

FEDORA-2019-d06bc63433

FEDORA-2019-85d92df70f

20191021 [SECURITY] [DSA 4547-1] tcpdump security update

DSA-4547

CVE-2018-10103

tcpdump before 4.9.3 mishandles the printing of SMB data (issue 1 of 2).

CVE-2018-10105 tcpdump before 4.9.3 mishandles the printing of SMB data (issue 2 of 2).

CVE-2018-14882 The ICMPv6 parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp6.c.

CVE-2019-15166 lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks.

CVE-2018-16230 The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_attr_print() (MP_REACH_NLRI).

CVE-2018-16300 The BGP parser in tcpdump before 4.9.3 allows stack consumption in print-bgp.c:bgp_attr_print() because of unlimited recursion.

CVE-2018-14881 The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_RESTART).

CVE-2018-16229 The DCCP parser in tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option().

CVE-2018-16228 The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in print-hncp.c:print_prefix().

CVE-2018-16227 The IEEE 802.11 parser in tcpdump before 4.9.3 has a buffer over-read in print-802_11.c for the Mesh Flags subfield.

CVE-2018-16451 The SMB parser in tcpdump before 4.9.3 has buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN.

CVE-2018-16452 The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil.c:smb_fdata() via recursion.

Impact

These vulnerabilities can result in denial of service (DoS) or, potentially, execution of arbitrary code.

According to the versions of the tcpdump package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - tcpdump before 4.9.3 mishandles the printing of SMB     data (issue 1 of 2).(CVE-2018-10103)

  - tcpdump before 4.9.3 mishandles the printing of SMB     data (issue 2 of 2).(CVE-2018-10105)

  - The FRF.16 parser in tcpdump before 4.9.3 has a buffer     over-read in print-fr.c:mfr_print().(CVE-2018-14468)

  - The ICMPv6 parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp6.c.(CVE-2018-14882)

  - lmp_print_data_link_subobjs() in print-lmp.c in tcpdump     before 4.9.3 lacks certain bounds     checks.(CVE-2019-15166)

  - The LDP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-ldp.c:ldp_tlv_print().(CVE-2018-14461)

  - The ICMP parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp.c:icmp_print().(CVE-2018-14462)

  - The VRRP parser in tcpdump before 4.9.3 has a buffer     over-read in print-vrrp.c:vrrp_print().(CVE-2018-14463)

  - The LMP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-lmp.c:lmp_print_data_link_subobjs().(CVE-2018-144     64)

  - The RSVP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-rsvp.c:rsvp_obj_print().(CVE-2018-14465)

  - The Rx parser in tcpdump before 4.9.3 has a buffer     over-read in print-rx.c:rx_cache_find() and     rx_cache_insert().(CVE-2018-14466)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_MP).(CVE-2018-14467)

  - The IKEv1 parser in tcpdump before 4.9.3 has a buffer     over-read in     print-isakmp.c:ikev1_n_print().(CVE-2018-14469)

  - The Babel parser in tcpdump before 4.9.3 has a buffer     over-read in     print-babel.c:babel_print_v2().(CVE-2018-14470)

  - The command-line argument parser in tcpdump before     4.9.3 has a buffer overflow in     tcpdump.c:get_next_file().(CVE-2018-14879)

  - The OSPFv3 parser in tcpdump before 4.9.3 has a buffer     over-read in     print-ospf6.c:ospf6_print_lshdr().(CVE-2018-14880)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_RESTART).(CVE-2018-14881)

  - The IEEE 802.11 parser in tcpdump before 4.9.3 has a     buffer over-read in print-802_11.c for the Mesh Flags     subfield.(CVE-2018-16227)

  - The DCCP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-dccp.c:dccp_print_option().(CVE-2018-16229)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_attr_print()     (MP_REACH_NLRI).(CVE-2018-16230)

  - The BGP parser in tcpdump before 4.9.3 allows stack     consumption in print-bgp.c:bgp_attr_print() because of     unlimited recursion.(CVE-2018-16300)

  - The SMB parser in tcpdump before 4.9.3 has buffer     over-reads in print-smb.c:print_trans() for     \MAILSLOT\BROWSE and \PIPE\LANMAN.(CVE-2018-16451)

  - The SMB parser in tcpdump before 4.9.3 has stack     exhaustion in smbutil.c:smb_fdata() via     recursion.(CVE-2018-16452)

  - The HNCP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-hncp.c:print_prefix().(CVE-2018-16228)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the tcpdump package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - tcpdump.org tcpdump 4.9.2 is affected by: CWE-126:
    Buffer Over-read. The impact is: May expose Saved Frame     Pointer, Return Address etc. on stack. The component     is: line 234: 'ND_PRINT((ndo, '%s', buf))', in function     named 'print_prefix', in 'print-hncp.c'. The attack     vector is: The victim must open a specially crafted     pcap file.(CVE-2019-1010220)

  - In tcpdump 4.9.2, a stack-based buffer over-read exists     in the print_prefix function of print-hncp.c via     crafted packet data because of missing     initialization.(CVE-2018-19519)

  - This candidate has been reserved by an organization or     individual that will use it when announcing a new     security problem. When the candidate has been     publicized, the details for this candidate will be     provided.(CVE-2019-15167)

  - lmp_print_data_link_subobjs() in print-lmp.c in tcpdump     before 4.9.3 lacks certain bounds     checks.(CVE-2019-15166)

  - The HNCP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-hncp.c:print_prefix().(CVE-2018-16228)

  - The BGP parser in tcpdump before 4.9.3 allows stack     consumption in print-bgp.c:bgp_attr_print() because of     unlimited recursion.(CVE-2018-16300)

  - The SMB parser in tcpdump before 4.9.3 has stack     exhaustion in smbutil.c:smb_fdata() via     recursion.(CVE-2018-16452)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_attr_print()     (MP_REACH_NLRI).(CVE-2018-16230)

  - libpcap before 1.9.1, as used in tcpdump before 4.9.3,     has a buffer overflow and/or over-read because of     errors in pcapng reading.(CVE-2018-16301)

  - The DCCP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-dccp.c:dccp_print_option().(CVE-2018-16229)

  - The IEEE 802.11 parser in tcpdump before 4.9.3 has a     buffer over-read in print-802_11.c for the Mesh Flags     subfield.(CVE-2018-16227)

  - The ICMPv6 parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp6.c.(CVE-2018-14882)

  - The SMB parser in tcpdump before 4.9.3 has buffer     over-reads in print-smb.c:print_trans() for     \MAILSLOT\BROWSE and \PIPE\LANMAN.(CVE-2018-16451)

  - The OSPFv3 parser in tcpdump before 4.9.3 has a buffer     over-read in     print-ospf6.c:ospf6_print_lshdr().(CVE-2018-14880)

  - tcpdump before 4.9.3 mishandles the printing of SMB     data (issue 2 of 2).(CVE-2018-10105)

  - tcpdump before 4.9.3 mishandles the printing of SMB     data (issue 1 of 2).(CVE-2018-10103)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_MP).(CVE-2018-14467)

  - The VRRP parser in tcpdump before 4.9.3 has a buffer     over-read in print-vrrp.c:vrrp_print().(CVE-2018-14463)

  - The LMP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-lmp.c:lmp_print_data_link_subobjs().(CVE-2018-144     64)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_RESTART).(CVE-2018-14881)

  - The RSVP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-rsvp.c:rsvp_obj_print().(CVE-2018-14465)

  - The ICMP parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp.c:icmp_print().(CVE-2018-14462)

  - The LDP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-ldp.c:ldp_tlv_print().(CVE-2018-14461)

  - The Rx parser in tcpdump before 4.9.3 has a buffer     over-read in print-rx.c:rx_cache_find() and     rx_cache_insert().(CVE-2018-14466)

  - The Babel parser in tcpdump before 4.9.3 has a buffer     over-read in     print-babel.c:babel_print_v2().(CVE-2018-14470)

  - The IKEv1 parser in tcpdump before 4.9.3 has a buffer     over-read in     print-isakmp.c:ikev1_n_print().(CVE-2018-14469)

  - The FRF.16 parser in tcpdump before 4.9.3 has a buffer     over-read in print-fr.c:mfr_print().(CVE-2018-14468)

  - tcpdump 4.9.2 has a heap-based buffer over-read related     to aoe_print in print-aoe.c and lookup_emem in     addrtoname.c.(CVE-2017-16808)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14467 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14467 The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_MP). The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in print-vrrp.c:vrrp_print(). The LMP parser in tcpdump before 4.9.3 has a buffer over-read in print-lmp.c:lmp_print_data_link_subobjs(). The Babel parser in tcpdump before 4.9.3 has a buffer over-read in print-babel.c:babel_print_v2(). tcpdump before 4.9.3 mishandles the printing of SMB data (issue 2 of 2). The LDP parser in tcpdump before 4.9.3 has a buffer over-read in print-ldp.c:ldp_tlv_print(). tcpdump before 4.9.3 mishandles the printing of SMB data (issue 1 of 2).
Tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the lmp_print_data_link_subobjs function in print-lmp.c.
By sending specially-crafted data, a remote attacker could overflow a buffer and cause the application to crash. The Rx parser in tcpdump before 4.9.3 has a buffer over-read in print-rx.c:rx_cache_find() and rx_cache_insert(). The IKEv1 parser in tcpdump before 4.9.3 has a buffer over-read in print-isakmp.c:ikev1_n_print(). The FRF.16 parser in tcpdump before 4.9.3 has a buffer over-read in print-fr.c:mfr_print(). The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_capabilities_print() (BGP_CAPCODE_RESTART). The ICMP parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp.c:icmp_print(). The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr(). The RSVP parser in tcpdump before 4.9.3 has a buffer over-read in print-rsvp.c:rsvp_obj_print(). The SMB parser in tcpdump before 4.9.3 has buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN. The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil.c:smb_fdata() via recursion. The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print-bgp.c:bgp_attr_print() (MP_REACH_NLRI). lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks. The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file(). The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in print-hncp.c:print_prefix(). The DCCP parser in tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option(). The IEEE 802.11 parser in tcpdump before 4.9.3 has a buffer over-read in print-802_11.c for the Mesh Flags subfield. The BGP parser in tcpdump before 4.9.3 allows stack consumption in print-bgp.c:bgp_attr_print() because of unlimited recursion. The ICMPv6 parser in tcpdump before 4.9.3 has a buffer over-read in print-icmp6.c. tcpdump before 4.9.3 has a heap-based buffer over-read related to aoe_print in print-aoe.c and lookup_emem in addrtoname.c.

The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.6 Security Update 2019-007, 10.14.x prior to 10.14.6 Security Update 2019-002, or 10.15.x prior to 10.15.2. It is, therefore, affected by multiple vulnerabilities :

  - slapd in OpenLDAP before 2.4.30 allows remote attackers     to cause a denial of service (assertion failure and     daemon exit) via an LDAP search query with attrsOnly set     to true, which causes empty attributes to be returned.
    (CVE-2012-1164)

  - libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31     and earlier, when using the Mozilla NSS backend, always     uses the default cipher suite even when TLSCipherSuite     is set, which might cause OpenLDAP to use weaker ciphers     than intended and make it easier for remote attackers to     obtain sensitive information. (CVE-2012-2668)

  - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier     does not properly count references, which allows remote     attackers to cause a denial of service (slapd crash) by     unbinding immediately after a search request, which     triggers rwm_conn_destroy to free the session context     while it is being used by rwm_op_search. (CVE-2013-4449)

  - The deref_parseCtrl function in     servers/slapd/overlays/deref.c in OpenLDAP 2.4.13     through 2.4.40 allows remote attackers to cause a denial     of service (NULL pointer dereference and crash) via an     empty attribute list in a deref control in a search     request. (CVE-2015-1545)

  - tcpdump before 4.9.3 has a heap-based buffer over-read     related to aoe_print in print-aoe.c and lookup_emem in     addrtoname.c. (CVE-2017-16808)

  - tcpdump before 4.9.3 mishandles the printing of SMB data     (issue 1 of 2). (CVE-2018-10103)

  - tcpdump before 4.9.3 mishandles the printing of SMB data     (issue 2 of 2). (CVE-2018-10105)

  - The LDP parser in tcpdump before 4.9.3 has a buffer     over-read in print-ldp.c:ldp_tlv_print().
    (CVE-2018-14461)

  - The ICMP parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp.c:icmp_print(). (CVE-2018-14462)

  - The VRRP parser in tcpdump before 4.9.3 has a buffer     over-read in print-vrrp.c:vrrp_print(). (CVE-2018-14463)

  - The LMP parser in tcpdump before 4.9.3 has a buffer     over-read in print-lmp.c:lmp_print_data_link_subobjs().
    (CVE-2018-14464)

  - The RSVP parser in tcpdump before 4.9.3 has a buffer     over-read in print-rsvp.c:rsvp_obj_print().
    (CVE-2018-14465)

  - The Rx parser in tcpdump before 4.9.3 has a buffer over-     read in print-rx.c:rx_cache_find() and     rx_cache_insert(). (CVE-2018-14466)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_MP). (CVE-2018-14467)

  - The FRF.16 parser in tcpdump before 4.9.3 has a buffer     over-read in print-fr.c:mfr_print(). (CVE-2018-14468)

  - The IKEv1 parser in tcpdump before 4.9.3 has a buffer     over-read in print-isakmp.c:ikev1_n_print().
    (CVE-2018-14469)

  - The Babel parser in tcpdump before 4.9.3 has a buffer     over-read in print-babel.c:babel_print_v2().
    (CVE-2018-14470)

  - The command-line argument parser in tcpdump before 4.9.3     has a buffer overflow in tcpdump.c:get_next_file().
    (CVE-2018-14879)

  - The OSPFv3 parser in tcpdump before 4.9.3 has a buffer     over-read in print-ospf6.c:ospf6_print_lshdr().
    (CVE-2018-14880)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_RESTART). (CVE-2018-14881)

  - The ICMPv6 parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp6.c. (CVE-2018-14882)

  - The IEEE 802.11 parser in tcpdump before 4.9.3 has a     buffer over-read in print-802_11.c for the Mesh Flags     subfield. (CVE-2018-16227)

  - The HNCP parser in tcpdump before 4.9.3 has a buffer     over-read in print-hncp.c:print_prefix().
    (CVE-2018-16228)

  - The DCCP parser in tcpdump before 4.9.3 has a buffer     over-read in print-dccp.c:dccp_print_option().
    (CVE-2018-16229)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_attr_print()     (MP_REACH_NLRI). (CVE-2018-16230)

  - The BGP parser in tcpdump before 4.9.3 allows stack     consumption in print-bgp.c:bgp_attr_print() because of     unlimited recursion. (CVE-2018-16300)

  - libpcap before 1.9.1, as used in tcpdump before 4.9.3,     has a buffer overflow and/or over-read because of errors     in pcapng reading. (CVE-2018-16301)

  - The SMB parser in tcpdump before 4.9.3 has buffer over-     reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE     and \PIPE\LANMAN. (CVE-2018-16451)

  - The SMB parser in tcpdump before 4.9.3 has stack     exhaustion in smbutil.c:smb_fdata() via recursion.
    (CVE-2018-16452)

  - An issue was discovered in the server in OpenLDAP before     2.4.48. When the server administrator delegates rootDN     (database admin) privileges for certain databases but     wants to maintain isolation (e.g., for multi-tenant     deployments), slapd does not properly stop a rootDN from     requesting authorization as an identity from another     database during a SASL bind or with a proxyAuthz (RFC     4370) control. (It is not a common configuration to     deploy a system where the server administrator and a DB     administrator enjoy different levels of trust.)     (CVE-2019-13057)

  - An issue was discovered in OpenLDAP 2.x before 2.4.48.
    When using SASL authentication and session encryption,     and relying on the SASL security layers in slapd access     controls, it is possible to obtain access that would     otherwise be denied via a simple bind for any identity     covered in those ACLs. After the first SASL bind is     completed, the sasl_ssf value is retained for all new     non-SASL connections. Depending on the ACL     configuration, this can affect different types of     operations (searches, modifications, etc.). In other     words, a successful authorization step completed by one     user affects the authorization requirement for a     different user. (CVE-2019-13565)

  - rpcapd/daemon.c in libpcap before 1.9.1 mishandles     certain length values because of reuse of a variable.
    This may open up an attack vector involving extra data     at the end of a request. (CVE-2019-15161)

  - rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows     platforms provides details about why authentication     failed, which might make it easier for attackers to     enumerate valid usernames. (CVE-2019-15162)

  - rpcapd/daemon.c in libpcap before 1.9.1 allows attackers     to cause a denial of service (NULL pointer dereference     and daemon crash) if a crypt() call fails.
    (CVE-2019-15163)

  - rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF     because a URL may be provided as a capture source.
    (CVE-2019-15164)

  - sf-pcapng.c in libpcap before 1.9.1 does not properly     validate the PHB header length before allocating memory.
    (CVE-2019-15165)

  - lmp_print_data_link_subobjs() in print-lmp.c in tcpdump     before 4.9.3 lacks certain bounds checks.
    (CVE-2019-15166)

  - In libexpat before 2.2.8, crafted XML input could fool     the parser into changing from DTD parsing to document     parsing too early; a consecutive call to     XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)     then resulted in a heap-based buffer over-read.
    (CVE-2019-15903)

Note that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.

According to the versions of the tcpdump package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The LDP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-ldp.c:ldp_tlv_print().(CVE-2018-14461)

  - The ICMP parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp.c:icmp_print().(CVE-2018-14462)

  - The VRRP parser in tcpdump before 4.9.3 has a buffer     over-read in print-vrrp.c:vrrp_print().(CVE-2018-14463)

  - The LMP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-lmp.c:lmp_print_data_link_subobjs().(CVE-2018-144     64)

  - The RSVP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-rsvp.c:rsvp_obj_print().(CVE-2018-14465)

  - The Rx parser in tcpdump before 4.9.3 has a buffer     over-read in print-rx.c:rx_cache_find() and     rx_cache_insert().(CVE-2018-14466)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_MP).(CVE-2018-14467)

  - The IKEv1 parser in tcpdump before 4.9.3 has a buffer     over-read in     print-isakmp.c:ikev1_n_print().(CVE-2018-14469)

  - The Babel parser in tcpdump before 4.9.3 has a buffer     over-read in     print-babel.c:babel_print_v2().(CVE-2018-14470)

  - The command-line argument parser in tcpdump before     4.9.3 has a buffer overflow in     tcpdump.c:get_next_file().(CVE-2018-14879)

  - The OSPFv3 parser in tcpdump before 4.9.3 has a buffer     over-read in     print-ospf6.c:ospf6_print_lshdr().(CVE-2018-14880)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_RESTART).(CVE-2018-14881)

  - The IEEE 802.11 parser in tcpdump before 4.9.3 has a     buffer over-read in print-802_11.c for the Mesh Flags     subfield.(CVE-2018-16227)

  - The DCCP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-dccp.c:dccp_print_option().(CVE-2018-16229)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_attr_print()     (MP_REACH_NLRI).(CVE-2018-16230)

  - The BGP parser in tcpdump before 4.9.3 allows stack     consumption in print-bgp.c:bgp_attr_print() because of     unlimited recursion.(CVE-2018-16300)

  - The SMB parser in tcpdump before 4.9.3 has buffer     over-reads in print-smb.c:print_trans() for     \MAILSLOT\BROWSE and \PIPE\LANMAN.(CVE-2018-16451)

  - The SMB parser in tcpdump before 4.9.3 has stack     exhaustion in smbutil.c:smb_fdata() via     recursion.(CVE-2018-16452)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the tcpdump package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The tcpdump packages contain the tcpdump utility for     monitoring network traffic. The tcpdump utility can     capture and display the packet headers on a particular     network interface or on all interfaces.Security     Fix(es):tcpdump before 4.9.3 has a heap-based buffer     over-read related to aoe_print in print-aoe.c and     lookup_emem in addrtoname.c.(CVE-2017-16808)The FRF.16     parser in tcpdump before 4.9.3 has a buffer over-read     in print-fr.c:mfr_print().(CVE-2018-14468)The IKEv1     parser in tcpdump before 4.9.3 has a buffer over-read     in print-isakmp.c:ikev1_n_print().(CVE-2018-14469)The     Babel parser in tcpdump before 4.9.3 has a buffer     over-read in     print-babel.c:babel_print_v2().(CVE-2018-14470)The Rx     parser in tcpdump before 4.9.3 has a buffer over-read     in print-rx.c:rx_cache_find() and     rx_cache_insert().(CVE-2018-14466)The LDP parser in     tcpdump before 4.9.3 has a buffer over-read in     print-ldp.c:ldp_tlv_print().(CVE-2018-14461)The ICMP     parser in tcpdump before 4.9.3 has a buffer over-read     in print-icmp.c:icmp_print().(CVE-2018-14462)The RSVP     parser in tcpdump before 4.9.3 has a buffer over-read     in print-rsvp.c:rsvp_obj_print().(CVE-2018-14465)The     BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_RESTART).(CVE-2018-14881)The LMP parser in     tcpdump before 4.9.3 has a buffer over-read in     print-lmp.c:lmp_print_data_link_subobjs().(CVE-2018-144     64)The VRRP parser in tcpdump before 4.9.3 has a buffer     over-read in     print-vrrp.c:vrrp_print().(CVE-2018-14463)The BGP     parser in tcpdump before 4.9.3 has a buffer over-read     in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_MP).(CVE-2018-14467)tcpdump before 4.9.3     mishandles the printing of SMB data (issue 1 of     2).(CVE-2018-10103)tcpdump before 4.9.3 mishandles the     printing of SMB data (issue 2 of 2).(CVE-2018-10105)The     OSPFv3 parser in tcpdump before 4.9.3 has a buffer     over-read in     print-ospf6.c:ospf6_print_lshdr().(CVE-2018-14880)The     SMB parser in tcpdump before 4.9.3 has buffer     over-reads in print-smb.c:print_trans() for     \MAILSLOT\BROWSE and \PIPE\LANMAN.(CVE-2018-16451)The     ICMPv6 parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp6.c.(CVE-2018-14882)The IEEE     802.11 parser in tcpdump before 4.9.3 has a buffer     over-read in print-802_11.c for the Mesh Flags     subfield.(CVE-2018-16227)The DCCP parser in tcpdump     before 4.9.3 has a buffer over-read in     print-dccp.c:dccp_print_option().(CVE-2018-16229)libpca     p before 1.9.1, as used in tcpdump before 4.9.3, has a     buffer overflow and/or over-read because of errors in     pcapng reading.(CVE-2018-16301)The BGP parser in     tcpdump before 4.9.3 has a buffer over-read in     print-bgp.c:bgp_attr_print()     (MP_REACH_NLRI).(CVE-2018-16230)The SMB parser in     tcpdump before 4.9.3 has stack exhaustion in     smbutil.c:smb_fdata() via recursion.(CVE-2018-16452)The     BGP parser in tcpdump before 4.9.3 allows stack     consumption in print-bgp.c:bgp_attr_print() because of     unlimited recursion.(CVE-2018-16300)The HNCP parser in     tcpdump before 4.9.3 has a buffer over-read in     print-hncp.c:print_prefix().(CVE-2018-16228)lmp_print_d     ata_link_subobjs() in print-lmp.c in tcpdump before     4.9.3 lacks certain bounds     checks.(CVE-2019-15166)tcpdump.org tcpdump 4.9.2 is     affected by: CWE-126: Buffer Over-read. The impact is:
    May expose Saved Frame Pointer, Return Address etc. on     stack. The component is: line 234: 'ND_PRINT((ndo,     '%s', buf))', in function named 'print_prefix', in     'print-hncp.c'. The attack vector is: The victim must     open a specially crafted pcap file.(CVE-2019-1010220)In     tcpdump 4.9.2, a stack-based buffer over-read exists in     the print_prefix function of print-hncp.c via crafted     packet data because of missing     initialization.(CVE-2018-19519)The command-line     argument parser in tcpdump before 4.9.3 has a buffer     overflow in tcpdump.c:get_next_file().(CVE-2018-14879)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New version 4.9.3, Security fix for CVE-2017-16808, CVE-2018-14468, CVE-2018-14469, CVE-2018-14470, CVE-2018-14466, CVE-2018-14461, CVE-2018-14462, CVE-2018-14465, CVE-2018-14881, CVE-2018-14464, CVE-2018-14463, CVE-2018-14467, CVE-2018-10103, CVE-2018-10105, CVE-2018-14880, CVE-2018-16451, CVE-2018-14882, CVE-2018-16227, CVE-2018-16229, CVE-2018-16301, CVE-2018-16230, CVE-2018-16452, CVE-2018-16300, CVE-2018-16228, CVE-2019-15166, CVE-2019-15167, CVE-2017-16808, CVE-2018-14882, CVE-2018-19519

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or, potentially, execution of arbitrary code.

An update of the tcpdump package has been released.

This update for tcpdump fixes the following issues :

  - CVE-2017-16808: Fixed a heap-based buffer over-read     related to aoe_print and lookup_emem (bsc#1068716     bsc#1153098).

  - CVE-2018-10103: Fixed a mishandling of the printing of     SMB data (bsc#1153098).

  - CVE-2018-10105: Fixed a mishandling of the printing of     SMB data (bsc#1153098).

  - CVE-2018-14461: Fixed a buffer over-read in     print-ldp.c:ldp_tlv_print (bsc#1153098).

  - CVE-2018-14462: Fixed a buffer over-read in     print-icmp.c:icmp_print (bsc#1153098).

  - CVE-2018-14463: Fixed a buffer over-read in     print-vrrp.c:vrrp_print (bsc#1153098).

  - CVE-2018-14464: Fixed a buffer over-read in     print-lmp.c:lmp_print_data_link_subobjs (bsc#1153098).

  - CVE-2018-14465: Fixed a buffer over-read in     print-rsvp.c:rsvp_obj_print (bsc#1153098).

  - CVE-2018-14466: Fixed a buffer over-read in     print-rx.c:rx_cache_find (bsc#1153098).

  - CVE-2018-14467: Fixed a buffer over-read in     print-bgp.c:bgp_capabilities_print (bsc#1153098).

  - CVE-2018-14468: Fixed a buffer over-read in     print-fr.c:mfr_print (bsc#1153098).

  - CVE-2018-14469: Fixed a buffer over-read in     print-isakmp.c:ikev1_n_print (bsc#1153098).

  - CVE-2018-14470: Fixed a buffer over-read in     print-babel.c:babel_print_v2 (bsc#1153098).

  - CVE-2018-14879: Fixed a buffer overflow in the     command-line argument parser (bsc#1153098).

  - CVE-2018-14880: Fixed a buffer over-read in the OSPFv3     parser (bsc#1153098).

  - CVE-2018-14881: Fixed a buffer over-read in the BGP     parser (bsc#1153098).

  - CVE-2018-14882: Fixed a buffer over-read in the ICMPv6     parser (bsc#1153098).

  - CVE-2018-16227: Fixed a buffer over-read in the IEEE     802.11 parser in print-802_11.c for the Mesh Flags     subfield (bsc#1153098).

  - CVE-2018-16228: Fixed a buffer over-read in the HNCP     parser (bsc#1153098).

  - CVE-2018-16229: Fixed a buffer over-read in the DCCP     parser (bsc#1153098).

  - CVE-2018-16230: Fixed a buffer over-read in the BGP     parser in print-bgp.c:bgp_attr_print (bsc#1153098).

  - CVE-2018-16300: Fixed an unlimited recursion in the BGP     parser that allowed denial-of-service by stack     consumption (bsc#1153098).

  - CVE-2018-16301: Fixed a buffer overflow (bsc#1153332     bsc#1153098).

  - CVE-2018-16451: Fixed several buffer over-reads in     print-smb.c:print_trans() for \MAILSLOT\BROWSE and     \PIPE\LANMAN (bsc#1153098).

  - CVE-2018-16452: Fixed a stack exhaustion in     smbutil.c:smb_fdata (bsc#1153098).

  - CVE-2019-15166: Fixed a bounds check in     lmp_print_data_link_subobjs (bsc#1153098).

  - CVE-2019-15167: Fixed a vulnerability in VRRP     (bsc#1153098).

This update was imported from the SUSE:SLE-15:Update update project.

This update for tcpdump fixes the following issues :

CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print and lookup_emem (bsc#1068716 bsc#1153098).

CVE-2018-10103: Fixed a mishandling of the printing of SMB data (bsc#1153098).

CVE-2018-10105: Fixed a mishandling of the printing of SMB data (bsc#1153098).

CVE-2018-14461: Fixed a buffer over-read in print-ldp.c:ldp_tlv_print (bsc#1153098).

CVE-2018-14462: Fixed a buffer over-read in print-icmp.c:icmp_print (bsc#1153098).

CVE-2018-14463: Fixed a buffer over-read in print-vrrp.c:vrrp_print (bsc#1153098).

CVE-2018-14464: Fixed a buffer over-read in print-lmp.c:lmp_print_data_link_subobjs (bsc#1153098).

CVE-2018-14465: Fixed a buffer over-read in print-rsvp.c:rsvp_obj_print (bsc#1153098).

CVE-2018-14466: Fixed a buffer over-read in print-rx.c:rx_cache_find (bsc#1153098).

CVE-2018-14467: Fixed a buffer over-read in print-bgp.c:bgp_capabilities_print (bsc#1153098).

CVE-2018-14468: Fixed a buffer over-read in print-fr.c:mfr_print (bsc#1153098).

CVE-2018-14469: Fixed a buffer over-read in print-isakmp.c:ikev1_n_print (bsc#1153098).

CVE-2018-14470: Fixed a buffer over-read in print-babel.c:babel_print_v2 (bsc#1153098).

CVE-2018-14879: Fixed a buffer overflow in the command-line argument parser (bsc#1153098).

CVE-2018-14880: Fixed a buffer over-read in the OSPFv3 parser (bsc#1153098).

CVE-2018-14881: Fixed a buffer over-read in the BGP parser (bsc#1153098).

CVE-2018-14882: Fixed a buffer over-read in the ICMPv6 parser (bsc#1153098).

CVE-2018-16227: Fixed a buffer over-read in the IEEE 802.11 parser in print-802_11.c for the Mesh Flags subfield (bsc#1153098).

CVE-2018-16228: Fixed a buffer over-read in the HNCP parser (bsc#1153098).

CVE-2018-16229: Fixed a buffer over-read in the DCCP parser (bsc#1153098).

CVE-2018-16230: Fixed a buffer over-read in the BGP parser in print-bgp.c:bgp_attr_print (bsc#1153098).

CVE-2018-16300: Fixed an unlimited recursion in the BGP parser that allowed denial-of-service by stack consumption (bsc#1153098).

CVE-2018-16301: Fixed a buffer overflow (bsc#1153332 bsc#1153098).

CVE-2018-16451: Fixed several buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN (bsc#1153098).

CVE-2018-16452: Fixed a stack exhaustion in smbutil.c:smb_fdata (bsc#1153098).

CVE-2019-15166: Fixed a bounds check in lmp_print_data_link_subobjs (bsc#1153098).

CVE-2019-15167: Fixed a vulnerability in VRRP (bsc#1153098).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These security vulnerabilities might result in denial of service or, potentially, execution of arbitrary code.

For Debian 8 'Jessie', these problems have been fixed in version 4.9.3-1~deb8u1.

We recommend that you upgrade your tcpdump packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New libpcap and tcpdump packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

ID	Name	Product	Family	Severity
138231	F5 Networks BIG-IP : Multiple tcpdump vulnerabilities (K44551633)	Nessus	F5 Networks Local Security Checks	high
135566	EulerOS 2.0 SP3 : tcpdump (EulerOS-SA-2020-1437)	Nessus	Huawei Local Security Checks	high
133291	Ubuntu 16.04 LTS / 18.04 LTS : tcpdump vulnerabilities (USN-4252-1)	Nessus	Ubuntu Local Security Checks	high
132826	EulerOS Virtualization for ARM 64 3.0.5.0 : tcpdump (EulerOS-SA-2020-1072)	Nessus	Huawei Local Security Checks	high
132733	AIX 7.2 TL 4 : tcpdump (IJ20786)	Nessus	AIX Local Security Checks	high
132732	AIX 7.2 TL 3 : tcpdump (IJ20785)	Nessus	AIX Local Security Checks	high
132731	AIX 7.2 TL 2 : tcpdump (IJ20784)	Nessus	AIX Local Security Checks	high
132730	AIX 7.1 TL 5 : tcpdump (IJ20783)	Nessus	AIX Local Security Checks	high
131957	macOS 10.15.x < 10.15.2 / 10.14.x < 10.14.6 Security Update 2019-002 / 10.13.x < 10.13.6 Security Update 2019-007	Nessus	MacOS X Local Security Checks	high
131825	EulerOS 2.0 SP5 : tcpdump (EulerOS-SA-2019-2551)	Nessus	Huawei Local Security Checks	high
131371	EulerOS 2.0 SP8 : tcpdump (EulerOS-SA-2019-2305)	Nessus	Huawei Local Security Checks	high
130370	Fedora 31 : 14:tcpdump (2019-6db0d5b9d9)	Nessus	Fedora Local Security Checks	high
130321	Fedora 30 : 14:tcpdump (2019-d06bc63433)	Nessus	Fedora Local Security Checks	high
130308	Fedora 29 : 14:tcpdump (2019-85d92df70f)	Nessus	Fedora Local Security Checks	high
130135	Debian DSA-4547-1 : tcpdump - security update	Nessus	Debian Local Security Checks	high
130122	Photon OS 3.0: Tcpdump PHSA-2019-3.0-0034	Nessus	PhotonOS Local Security Checks	high
130118	Photon OS 2.0: Tcpdump PHSA-2019-2.0-0182	Nessus	PhotonOS Local Security Checks	high
130086	openSUSE Security Update : tcpdump (openSUSE-2019-2348)	Nessus	SuSE Local Security Checks	high
130083	openSUSE Security Update : tcpdump (openSUSE-2019-2344)	Nessus	SuSE Local Security Checks	high
129966	SUSE SLED15 / SLES15 Security Update : tcpdump (SUSE-SU-2019:2674-1)	Nessus	SuSE Local Security Checks	high
129828	Debian DLA-1955-1 : tcpdump security update	Nessus	Debian Local Security Checks	high
129521	Slackware 14.0 / 14.1 / 14.2 / current : tcpdump (SSA:2019-274-01)	Nessus	Slackware Local Security Checks	high

CVE-2018-16300

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins