{"reporter": "f5", "published": "2007-05-16T00:00:00", "cvelist": ["CVE-2001-1279"], "title": "SOL1877 - OpenSSH Remote Challenge Vulnerability - CAN-2001-1279", "objectVersion": "1.2", "type": "f5", "hash": "ea2ae4ecaaaa32d57ec159494be1713736e44e16fca043c0f01480017c4b7d03", "href": "http://support.f5.com/kb/en-us/solutions/public/1000/800/sol1877.html", "bulletinFamily": "software", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "1d38a722e8b05fe19ddf5680d784caed", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fd9ee2c6308545adc8005cedcb09c4e2", "key": "description"}, {"hash": "71f87625001e07485cf058b22078db8e", "key": "href"}, {"hash": "adaf791ca2f1e86d4ceb1cda34a13a7c", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "1403f4a570de40c0eb3874301f410578", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "74ce2e1a498f2fa27b5542040be774dc", "key": "reporter"}, {"hash": "1e93beb0f5b0ecccbbea4845f2904560", "key": "title"}, {"hash": "74ce2e1a498f2fa27b5542040be774dc", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "history": [], "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "vulnersScore": 5.0}, "modified": "2013-06-27T00:00:00", "viewCount": 1, "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "affectedSoftware": [], "references": [], "id": "SOL1877", "lastseen": "2016-09-26T17:23:02", "description": "Information about this advisory can be found at the following location:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1279>\n"}

{"cve": [{"lastseen": "2016-09-03T03:10:51", "references": ["http://www.redhat.com/support/errata/RHSA-2001-089.html", "http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000480", "ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc", "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-032.php", "http://www.kb.cert.org/vuls/id/797201", "http://www.securityfocus.com/bid/3065", "http://www.iss.net/security_center/static/7006.php", "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-025.0.txt"], "description": "Buffer overflow in print-rx.c of tcpdump 3.x (probably 3.6x) allows remote attackers to cause a denial of service and possibly execute arbitrary code via AFS RPC packets with invalid lengths that trigger an integer signedness error, a different vulnerability than CVE-2000-1026.", "edition": 1, "reporter": "NVD", "published": "2001-07-17T00:00:00", "title": "CVE-2001-1279", "type": "cve", "enchantments": {"score": {"modified": "2016-09-03T03:10:51", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2001-1279"], "scanner": [], "cpe": ["cpe:/a:lbl:tcpdump:3.6.2"], "modified": "2008-09-10T15:10:10", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1279", "id": "CVE-2001-1279", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2018-08-31T02:37:49", "references": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2001-1279", "http://www.securityfocus.com/bid/3065", "http://windump.polito.it/", "http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-rx.c?r1=1.22&r2=1.23"], "description": "### Overview\n\nA vulnerability exists in tcpdump that could allow an attacker to execute arbitrary code with the privileges of tcpdump, typically root.\n\n### Description\n\ntcpdump is a widely-used network sniffer that is capable of decoding AFS traffic. A buffer overflow vulnerability has been discovered in tcpdump's handling of AFS RPC (Rx) packets. Rx is the proprietary remote procedure call (RPC) protocol used by AFS to communicate between AFS processes running on different systems. According to FreeBSD Security Advisory [FreeBSD-SA-01:48](<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc>), this vulnerability is caused by \"...incorrect string length handling in the decoding of AFS RPC packets.\" \n \n--- \n \n### Impact\n\nA remote attacker who is able to send crafted AFS RPC (Rx) packets may be able to execute arbitrary code or cause a denial of service on a system running tcpdump. If tcpdump is operating in promiscuous mode, the attacker only needs to send packets to the ethernet segment in which tcpdump is running. On Linux systems, tcpdump runs with root privileges. On other UNIX systems, tcpdump may run with root privileges. On Windows 2000 systems, [windump](<http://windump.polito.it/>) can be run with user privileges. \n \n--- \n \n### Solution\n\n**Upgrade tcpdump** \n \nThis vulnerability was addressed in July 2001. tcpdump3_6_rel3 and later are not vulnerable. tcpdump 3.6.2 and earlier are vulnerable. Obtain an upgraded tcpdump package or apply the appropriate patch from your vendor. \n \n--- \n \n \n**Filter AFS Traffic** \n \nBlock AFS RPC (Rx) packets destined to hosts (and networks with hosts) running vulnerable versions of tcpdump. AFS services communicate on a number of UDP ports: \n \n`7000/udp fileserver` \n`7001/udp callback (cache manager on AFS client)` \n`7002/udp ptserver ` \n`7003/udp vlserver` \n`7004/udp kaserver` \n`7005/udp volserver` \n`7007/udp bosserver` \n`7008/udp upserver` \n`7009/udp rmtsysd (NFS/AFS translator)` \n`7021/udp buserver` \n`7025-65535/udp butc (backup servers)` \n \nIt may also be possible to instruct tcpdump not to decode packets that use AFS Rx port numbers (ports 7021 and &gt;7025 are not included in this filter): \n \n`$ tcpdump not udp port 7000 or 7001 or 7002 or 7003 or 7004 or 7005 or 7006 or 7007 or 7008 or 7009` \n \nWhile blocking AFS Rx traffic into a network may protect internal hosts, it may not protect systems that run tcpdump at the network perimeter, such as an Intrusion Detection System (IDS). Also, it is unclear how tcpdump determines that a given packet should be decoded as an AFS Rx packet. It is likely that tcpdump does not rely on port numbers, and if this is the case then an attacker could easily bypass port filters by using non-AFS port numbers. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nConectiva| | -| 07 Jun 2002 \nFreeBSD| | -| 07 Jun 2002 \nMandrakeSoft| | -| 07 Jun 2002 \nRed Hat, Inc.| | -| 07 Jun 2002 \ntcpdump.org| | -| 12 Jun 2002 \nCaldera| | -| 07 Jun 2002 \nPolitecnico Di Torino| | -| 07 Jun 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23797201 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * [VU#776781](<VU#776781>)\n * <http://www.securityfocus.com/bid/3065>\n * <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc>\n * <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:48/tcpdump-4.x.patch>\n * [http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-rx.c?r1=1.22&amp;r2;=1.23](<http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-rx.c?r1=1.22&r2=1.23>)\n\n### Credit\n\nThe CERT Coordination Center thanks FreeBSD and tcpdump.org for information used in this document.\n\nThis document was written by Art Manion.\n\n### Other Information\n\n * CVE IDs: [CAN-2001-1279](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2001-1279>)\n * Date Public: 09 Jul 2001\n * Date First Published: 07 Jun 2002\n * Date Last Updated: 12 Jun 2002\n * Severity Metric: 10.94\n * Document Revision: 43\n\n", "edition": 4, "reporter": "CERT", "published": "2002-06-07T00:00:00", "title": "tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "info", "cvelist": ["CVE-2001-1279", "CVE-2001-1279"], "modified": "2002-06-12T00:00:00", "id": "VU:797201", "href": "https://www.kb.cert.org/vuls/id/797201", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:05", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\nRedHat RHSA: RHSA-2001:089\nISS X-Force ID: 7006\n[CVE-2001-1279](https://vulners.com/cve/CVE-2001-1279)\nCIAC Advisory: l-122\nCERT VU: 797201\nBugtraq ID: 3065\n", "reporter": "OSVDB", "published": "2001-07-17T00:00:00", "title": "tcpdump print-rx.c AFS RPC Invalid Length Packet Overflow DoS", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "affectedSoftware": [], "bulletinFamily": "software", "cvelist": ["CVE-2001-1279"], "modified": "2001-07-17T00:00:00", "id": "OSVDB:9852", "href": "https://vulners.com/osvdb/OSVDB:9852", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2017-10-03T03:59:02", "references": [], "edition": 1, "description": "", "reporter": "f5", "published": "2007-05-17T04:00:00", "title": "OpenSSH Remote Challenge Vulnerability - CAN-2001-1279", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2001-1279"], "modified": "2017-10-03T03:00:00", "href": "https://support.f5.com/csp/article/K1877", "id": "F5:K1877", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-02T00:08:10", "references": ["http://www.ciac.org/ciac/bulletins/l-015.shtml", "http://www.nessus.org/u?8a0a3b08"], "pluginID": "13938", "description": "Several buffer overflows were found in the tcpdump package by FreeBSD developers during a code audit, in versions prior to 3.5. However, newer versions of tcpdump, including 3.6.2, are also vulnerable to another buffer overflow in the AFS RPC decoding functions, which was discovered by Nick Cleaton. These vulnerabilities could be used by a remote attacker to crash the the tcpdump process or possibly even be exploited to execute arbitrary code as the user running tcpdump, which is usually root.\n\nThe newer libpcap 0.6 has also been audited to make it more safe by implementing better buffer boundary checks in several functions.", "edition": 5, "reporter": "Tenable", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : tcpdump (MDKSA-2002:032)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1279"], "modified": "2018-07-19T00:00:00", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.2", "p-cpe:/a:mandriva:linux:libpcap", "p-cpe:/a:mandriva:linux:tcpdump", "cpe:/o:mandrakesoft:mandrake_linux:8.2", "cpe:/o:mandrakesoft:mandrake_linux:8.0", "p-cpe:/a:mandriva:linux:libpcap0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:8.1", "p-cpe:/a:mandriva:linux:libpcap0-devel", "p-cpe:/a:mandriva:linux:libpcap-devel"], "id": "MANDRAKE_MDKSA-2002-032.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=13938", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2002:032. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(13938);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_cve_id(\"CVE-2001-1279\");\n script_xref(name:\"MDKSA\", value:\"2002:032\");\n\n script_name(english:\"Mandrake Linux Security Advisory : tcpdump (MDKSA-2002:032)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several buffer overflows were found in the tcpdump package by FreeBSD\ndevelopers during a code audit, in versions prior to 3.5. However,\nnewer versions of tcpdump, including 3.6.2, are also vulnerable to\nanother buffer overflow in the AFS RPC decoding functions, which was\ndiscovered by Nick Cleaton. These vulnerabilities could be used by a\nremote attacker to crash the the tcpdump process or possibly even be\nexploited to execute arbitrary code as the user running tcpdump, which\nis usually root.\n\nThe newer libpcap 0.6 has also been audited to make it more safe by\nimplementing better buffer boundary checks in several functions.\"\n );\n # ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a0a3b08\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.ciac.org/ciac/bulletins/l-015.shtml\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpcap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpcap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpcap0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpcap0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tcpdump\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"libpcap-0.6.2-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"libpcap-devel-0.6.2-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"tcpdump-3.6.2-2.2mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"libpcap-0.6.2-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"libpcap-devel-0.6.2-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"tcpdump-3.6.2-2.2mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"libpcap0-0.6.2-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"libpcap0-devel-0.6.2-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"tcpdump-3.6.2-2.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"tcpdump-3.6.2-2.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"tcpdump-3.6.2-2.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}