ID CVE-2007-3798
Summary Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
References
Vulnerable Configurations
  • cpe:2.3:a:tcpdump:tcpdump:3.9.6
    cpe:2.3:a:tcpdump:tcpdump:3.9.6
CVSS
Base: 6.8 (as of 17-07-2007 - 18:11)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description tcpdump Print-bgp.C Remote Integer Underflow Vulnerability. CVE-2007-3798. Remote exploit for linux platform
id EDB-ID:30319
last seen 2016-02-03
modified 2007-03-01
published 2007-03-01
reporter mu-b
source https://www.exploit-db.com/download/30319/
title tcpdump Print-bgp.C Remote Integer Underflow Vulnerability
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0387.NASL
    description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. * the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 67051
    published 2013-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67051
    title CentOS 4 : tcpdump (CESA-2007:0387)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_FF284BF03F3211DCA79A0016179B2DD5.NASL
    description The remote host is missing an update to the system The following package is affected: tcpdump This plugin is deprecated by plugin ID 25833, freebsd_pkg_ff284bf03f3211dca79a0016179b2dd5.nasl
    last seen 2016-09-26
    modified 2015-12-02
    plugin id 25814
    published 2007-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25814
    title FreeBSD : tcpdump -- remote integer underflow vulnerability (983) (deprecated)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-009.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 29723
    published 2007-12-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29723
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-009)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TCPDUMP-4037.NASL
    description This update fixes a buffer overlow that could be triggered when displaying BGP packets. (CVE-2007-3798)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29588
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29588
    title SuSE 10 Security Update : tcpdump (ZYPP Patch Number 4037)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-492-1.NASL
    description A flaw was discovered in the BGP dissector of tcpdump. Remote attackers could send specially crafted packets and execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28094
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28094
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : tcpdump vulnerability (USN-492-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_TCPDUMP-4036.NASL
    description This update fixes a buffer overlow that could be triggered when displaying BGP packets (CVE-2007-3798).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27466
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27466
    title openSUSE 10 Security Update : tcpdump (tcpdump-4036)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1353.NASL
    description It was discovered that an integer overflow in the BGP dissector of tcpdump, a powerful tool for network monitoring and data acquisition, may lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25861
    published 2007-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25861
    title Debian DSA-1353-1 : tcpdump - integer overflow
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_2DC764FA40C011DCAEAC02E0185F8D72.NASL
    description An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances. Impact : By crafting malicious BGP packets, an attacker could exploit this vulnerability to execute code or crash the tcpdump process on the target system. This code would be executed in the context of the user running tcpdump(1). It should be noted that tcpdump(1) requires privileges in order to open live network interfaces. Workaround : No workaround is available.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25833
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25833
    title FreeBSD : FreeBSD -- Buffer overflow in tcpdump(1) (2dc764fa-40c0-11dc-aeac-02e0185f8d72)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-148.NASL
    description An integer overflow in tcpdump could allow a remote attacker to execute arbitrary code via crafted TLVs in a BGP packet. Updated packages have been patched to prevent this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 25794
    published 2007-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25794
    title Mandrake Linux Security Advisory : tcpdump (MDKSA-2007:148)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-230-01.NASL
    description New tcpdump packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, and 12.0 to fix a security issue.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 25907
    published 2007-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25907
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 9.0 / 9.1 : tcpdump (SSA:2007-230-01)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0368.NASL
    description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * The arpwatch service initialization script would exit prematurely, returning an incorrect successful exit status and preventing the status command from running in case networking is not available. * Tcpdump would not drop root privileges completely when launched with the -C option. This might have been abused by an attacker to gain root privileges in case a security problem was found in tcpdump. Users of tcpdump are encouraged to specify meaningful arguments to the -Z option in case they want tcpdump to write files with privileges other than of the pcap user. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 27828
    published 2007-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27828
    title RHEL 5 : tcpdump (RHSA-2007:0368)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-654.NASL
    description - CVE-2007-3798 Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 25839
    published 2007-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25839
    title Fedora Core 6 : tcpdump-3.9.4-11.fc6 (2007-654)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200707-14.NASL
    description The remote host is affected by the vulnerability described in GLSA-200707-14 (tcpdump: Integer overflow) mu-b from Digital Labs discovered that the return value of a snprintf() call is not properly checked before being used. This could lead to an integer overflow. Impact : A remote attacker could send specially crafted BGP packets on a network being monitored with tcpdump, possibly resulting in the execution of arbitrary code with the privileges of the user running tcpdump, which is usually root. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 25810
    published 2007-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25810
    title GLSA-200707-14 : tcpdump: Integer overflow
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_11696.NASL
    description A buffer overflow has been found in tcpdump which can be triggered while displaying BGP packets. This could be exploited by an attacker to execute malicious code under the privileges of the user running tcpdump by presenting specially prepared BGP packets to tcpdump. This issue is tracked by CVE-2007-3798.
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41144
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41144
    title SuSE9 Security Update : tcpdump (YOU Patch Number 11696)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-1361.NASL
    description New upstream release. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 27711
    published 2007-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27711
    title Fedora 7 : tcpdump-3.9.7-1.fc7 (2007-1361)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0387.NASL
    description Updated tcpdump packages that fix a security issue and functionality bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tcpdump is a command line tool for monitoring network traffic. Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : * if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. * the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available. Users of tcpdump are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 28235
    published 2007-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28235
    title RHEL 4 : tcpdump (RHSA-2007:0387)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071115_TCPDUMP_ON_SL4_X.NASL
    description Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. An attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session if a certain link type was explicitly specified. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : - if called with -C and -W switches, tcpdump would create the first savefile with the privileges of the user that executed tcpdump (usually root), rather than with ones of the pcap user. This could result in the inability to save the complete traffic log file properly without the immediate notice of the user running tcpdump. - the arpwatch service initialization script would exit prematurely, returning a successful exit status incorrectly and preventing the status command from running in case networking is not available.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60310
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60310
    title Scientific Linux Security Update : tcpdump on SL4.x i386/x86_64
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071109_TCPDUMP_ON_SL5_X.NASL
    description Problem description : Moritz Jodeit discovered a denial of service bug in the tcpdump IEEE 802.11 processing code. If a certain link type was explicitly specified, an attacker could inject a carefully crafted frame onto the IEEE 802.11 network that could crash a running tcpdump session. (CVE-2007-1218) An integer overflow flaw was found in tcpdump's BGP processing code. An attacker could execute arbitrary code with the privilege of the pcap user by injecting a crafted frame onto the network. (CVE-2007-3798) In addition, the following bugs have been addressed : - The arpwatch service initialization script would exit prematurely, returning an incorrect successful exit status and preventing the status command from running in case networking is not available. - Tcpdump would not drop root privileges completely when launched with the - -C option. This might have been abused by an attacker to gain root privileges in case a security problem was found in tcpdump. Users of tcpdump are encouraged to specify meaningful arguments to the -Z option in case they want tcpdump to write files with privileges other than of the pcap user.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60299
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60299
    title Scientific Linux Security Update : tcpdump on SL5.x i386/x86_64
oval via4
accepted 2013-04-29T04:22:02.123-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
family unix
id oval:org.mitre.oval:def:9771
status accepted
submitted 2010-07-09T03:56:16-04:00
title Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
version 24
redhat via4
advisories
  • bugzilla
    id 250275
    title CVE-2007-3798 tcpdump BGP integer overflow
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment arpwatch is earlier than 14:2.1a13-18.el5
          oval oval:com.redhat.rhsa:tst:20070368004
        • comment arpwatch is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070368005
      • AND
        • comment libpcap is earlier than 14:0.9.4-11.el5
          oval oval:com.redhat.rhsa:tst:20070368006
        • comment libpcap is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070368007
      • AND
        • comment libpcap-devel is earlier than 14:0.9.4-11.el5
          oval oval:com.redhat.rhsa:tst:20070368008
        • comment libpcap-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070368009
      • AND
        • comment tcpdump is earlier than 14:3.9.4-11.el5
          oval oval:com.redhat.rhsa:tst:20070368002
        • comment tcpdump is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070368003
    rhsa
    id RHSA-2007:0368
    released 2007-11-07
    severity Moderate
    title RHSA-2007:0368: tcpdump security and bug fix update (Moderate)
  • bugzilla
    id 250275
    title CVE-2007-3798 tcpdump BGP integer overflow
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment arpwatch is earlier than 14:2.1a13-12.el4
          oval oval:com.redhat.rhsa:tst:20070387004
        • comment arpwatch is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070387005
      • AND
        • comment libpcap is earlier than 14:0.8.3-12.el4
          oval oval:com.redhat.rhsa:tst:20070387006
        • comment libpcap is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070387007
      • AND
        • comment tcpdump is earlier than 14:3.8.2-12.el4
          oval oval:com.redhat.rhsa:tst:20070387002
        • comment tcpdump is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070387003
    rhsa
    id RHSA-2007:0387
    released 2007-11-15
    severity Moderate
    title RHSA-2007:0387: tcpdump security and bug fix update (Moderate)
rpms
  • arpwatch-14:2.1a13-18.el5
  • libpcap-14:0.9.4-11.el5
  • libpcap-devel-14:0.9.4-11.el5
  • tcpdump-14:3.9.4-11.el5
  • arpwatch-14:2.1a13-12.el4
  • libpcap-14:0.8.3-12.el4
  • tcpdump-14:3.8.2-12.el4
refmap via4
apple APPLE-SA-2007-12-17
bid 24965
bugtraq 20070720 rPSA-2007-0147-1 tcpdump
cert TA07-352A
confirm
debian DSA-1353
freebsd FreeBSD-SA-07:06
gentoo GLSA-200707-14
mandriva MDKSA-2007:148
misc
sectrack 1018434
secunia
  • 26135
  • 26168
  • 26223
  • 26231
  • 26263
  • 26266
  • 26286
  • 26395
  • 26404
  • 26521
  • 27580
  • 28136
slackware SSA:2007-230-01
suse SUSE-SR:2007:016
trustix 2007-0023
turbo TLSA-2007-46
ubuntu USN-492-1
vupen
  • ADV-2007-2578
  • ADV-2007-4238
statements via4
contributor Joshua Bressers
lastmodified 2007-07-31
organization Red Hat
statement This issue does not affect the version of tcpdump shipped in Red Hat Enterprise Linux 2.1 or 3. Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250275 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 07-03-2011 - 00:00
Published 16-07-2007 - 18:30
Last modified 15-10-2018 - 17:30
Back to Top