SB2018070309 - Multiple vulnerabilities in AppNeta Tcpreplay
Published: July 3, 2018 Updated: June 1, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2018-17974)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Tcpreplay 4.3.0 beta1. A heap-based buffer over-read was triggered in the function dlt_en10mb_encode() of the file plugins/dlt_en10mb/en10mb.c, due to inappropriate values in the function memmove(). The length (pktlen + ctx -> l2len) can be larger than source value (packet + ctx->l2len) because the function fails to ensure the length of a packet is valid. This leads to Denial of Service.
2) Out-of-bounds read (CVE-ID: CVE-2018-17580)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the function fast_edit_packet() in the file send_packets.c of Tcpreplay. This can lead to Denial of Service (DoS) and potentially Information Exposure when the application attempts to process a crafted pcap file. A remote attacker can pass specially crafted data to the application, trigger out-of-bounds read error and read contents of memory on the system.
3) Out-of-bounds read (CVE-ID: CVE-2018-17582)
The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
Tcpreplay contains a heap-based buffer over-read. The get_next_packet() function in the send_packets.c file uses the memcpy() function unsafely to copy sequences from the source buffer pktdata to the destination (*prev_packet)->pktdata. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process a file.
4) Out-of-bounds read (CVE-ID: CVE-2018-13112)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in get_l2len in common/get.c in Tcpreplay. A remote attacker can perform a denial of service (heap-based buffer over-read and application crash) via crafted packets, as demonstrated by tcpprep.
Remediation
Install update from vendor's website.
References
- https://github.com/appneta/tcpreplay/issues/486
- https://github.com/SegfaultMasters/covering360/tree/master/tcpreplay
- https://github.com/appneta/tcpreplay/issues/485
- https://github.com/SegfaultMasters/covering360/blob/master/tcpreplay
- https://github.com/appneta/tcpreplay/issues/484
- https://github.com/appneta/tcpreplay/issues/477