{"result": {"cve": [{"id": "CVE-2001-1279", "type": "cve", "title": "CVE-2001-1279", "description": "Buffer overflow in print-rx.c of tcpdump 3.x (probably 3.6x) allows remote attackers to cause a denial of service and possibly execute arbitrary code via AFS RPC packets with invalid lengths that trigger an integer signedness error, a different vulnerability than CVE-2000-1026.", "published": "2001-07-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1279", "cvelist": ["CVE-2001-1279"], "lastseen": "2016-09-03T03:10:51"}], "cert": [{"id": "VU:797201", "type": "cert", "title": "tcpdump vulnerable to buffer overflow via improper decoding of AFS RPC (Rx) packets", "description": "### Overview\n\nA vulnerability exists in tcpdump that could allow an attacker to execute arbitrary code with the privileges of tcpdump, typically root.\n\n### Description\n\ntcpdump is a widely-used network sniffer that is capable of decoding AFS traffic. A buffer overflow vulnerability has been discovered in tcpdump's handling of AFS RPC (Rx) packets. Rx is the proprietary remote procedure call (RPC) protocol used by AFS to communicate between AFS processes running on different systems. According to FreeBSD Security Advisory [FreeBSD-SA-01:48](<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc>), this vulnerability is caused by \"...incorrect string length handling in the decoding of AFS RPC packets.\" \n \n--- \n \n### Impact\n\nA remote attacker who is able to send crafted AFS RPC (Rx) packets may be able to execute arbitrary code or cause a denial of service on a system running tcpdump. If tcpdump is operating in promiscuous mode, the attacker only needs to send packets to the ethernet segment in which tcpdump is running. On Linux systems, tcpdump runs with root privileges. On other UNIX systems, tcpdump may run with root privileges. On Windows 2000 systems, [windump](<http://windump.polito.it/>) can be run with user privileges. \n \n--- \n \n### Solution\n\n**Upgrade tcpdump** \n \nThis vulnerability was addressed in July 2001. tcpdump3_6_rel3 and later are not vulnerable. tcpdump 3.6.2 and earlier are vulnerable. Obtain an upgraded tcpdump package or apply the appropriate patch from your vendor. \n \n--- \n \n \n**Filter AFS Traffic** \n \nBlock AFS RPC (Rx) packets destined to hosts (and networks with hosts) running vulnerable versions of tcpdump. AFS services communicate on a number of UDP ports: \n\n\n`7000/udp fileserver` \n`7001/udp callback (cache manager on AFS client)` \n`7002/udp ptserver ` \n`7003/udp vlserver` \n`7004/udp kaserver` \n`7005/udp volserver` \n`7007/udp bosserver` \n`7008/udp upserver` \n`7009/udp rmtsysd (NFS/AFS translator)` \n`7021/udp buserver` \n`7025-65535/udp butc (backup servers)` \nIt may also be possible to instruct tcpdump not to decode packets that use AFS Rx port numbers (ports 7021 and >7025 are not included in this filter): \n \n`$ tcpdump not udp port 7000 or 7001 or 7002 or 7003 or 7004 or 7005 or 7006 or 7007 or 7008 or 7009` \n \nWhile blocking AFS Rx traffic into a network may protect internal hosts, it may not protect systems that run tcpdump at the network perimeter, such as an Intrusion Detection System (IDS). Also, it is unclear how tcpdump determines that a given packet should be decoded as an AFS Rx packet. It is likely that tcpdump does not rely on port numbers, and if this is the case then an attacker could easily bypass port filters by using non-AFS port numbers. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nConectiva| | -| 07 Jun 2002 \nFreeBSD| | -| 07 Jun 2002 \nMandrakeSoft| | -| 07 Jun 2002 \nRed Hat, Inc.| | -| 07 Jun 2002 \ntcpdump.org| | -| 12 Jun 2002 \nCaldera| | -| 07 Jun 2002 \nPolitecnico Di Torino| | -| 07 Jun 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23797201 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * [VU#776781](<VU#776781>)\n * <http://www.securityfocus.com/bid/3065>\n * <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:48.tcpdump.asc>\n * <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:48/tcpdump-4.x.patch>\n * [http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-rx.c?r1=1.22&r2;=1.23](<http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-rx.c?r1=1.22&r2=1.23>)\n\n### Credit\n\nThe CERT Coordination Center thanks [FreeBSD](<http://www.freebsd.org/>) and [tcpdump.org](<http://www.tcpdump.org/>) for information used in this document.\n\nThis document was written by Art Manion.\n\n### Other Information\n\n * CVE IDs: [CAN-2001-1279](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2001-1279>)\n * Date Public: 09 Jul 2001\n * Date First Published: 07 Jun 2002\n * Date Last Updated: 12 Jun 2002\n * Severity Metric: 10.94\n * Document Revision: 43\n\n", "published": "2002-06-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/797201", "cvelist": ["CVE-2001-1279", "CVE-2001-1279"], "lastseen": "2016-02-03T09:13:12"}], "f5": [{"id": "F5:K1877", "type": "f5", "title": "OpenSSH Remote Challenge Vulnerability - CAN-2001-1279", "description": "", "published": "2007-05-17T04:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K1877", "cvelist": ["CVE-2001-1279"], "lastseen": "2017-10-03T03:59:02"}], "nessus": [{"id": "MANDRAKE_MDKSA-2002-032.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : tcpdump (MDKSA-2002:032)", "description": "Several buffer overflows were found in the tcpdump package by FreeBSD developers during a code audit, in versions prior to 3.5. However, newer versions of tcpdump, including 3.6.2, are also vulnerable to another buffer overflow in the AFS RPC decoding functions, which was discovered by Nick Cleaton. These vulnerabilities could be used by a remote attacker to crash the the tcpdump process or possibly even be exploited to execute arbitrary code as the user running tcpdump, which is usually root.\n\nThe newer libpcap 0.6 has also been audited to make it more safe by implementing better buffer boundary checks in several functions.", "published": "2004-07-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=13938", "cvelist": ["CVE-2001-1279"], "lastseen": "2017-10-29T13:45:04"}], "osvdb": [{"id": "OSVDB:9852", "type": "osvdb", "title": "tcpdump print-rx.c AFS RPC Invalid Length Packet Overflow DoS", "description": "# No description provided by the source\n\n## References:\nRedHat RHSA: RHSA-2001:089\nISS X-Force ID: 7006\n[CVE-2001-1279](https://vulners.com/cve/CVE-2001-1279)\nCIAC Advisory: l-122\nCERT VU: 797201\nBugtraq ID: 3065\n", "published": "2001-07-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:9852", "cvelist": ["CVE-2001-1279"], "lastseen": "2017-04-28T13:20:05"}]}}
