Release Date: 21-Jan-2015

Last Update: –

Vendor Notification Date: 05-Jan-2015

Product: tcpdump

Platform: Windows / *nix / Mac OSX

Affected versions: 4.1 – 4.6.2

Severity Rating: Medium

Impact: Memory disclosure
Out-of-bound read access
Denial of Service

Attack Vector: Local

Solution Status: Vendor update

CVE reference: CVE-2015-1037

Details

tcpdump is a common command line packet analyser. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. When dissecting an ARCNet packet type, tcpdump uses the length announced in the PCAP in the ARCNet header to read and display the packet content mapped in memory, by calling the function hex_and_ascii_print_with_offset(). If the captured length is less than the length announced in the packet (which can be forged), the call to arcnet_if_print() function will dump memory content, eventually causing tcpdump to generate a segmentation fault crash if the pointer reaches an invalid address.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Update to tcpdump version 4.6.3.

Discovered By

Christophe Alladoum from Sense of Security Labs.