IBM SECURITY ADVISORY First Issued: Thu May 25 11:23:13 CDT 2017 |Updated: Thu Jul 27 11:57:05 CDT 2017 |Update 1: Corrected the checksum value for iFix IV94729s9b.170425.epkg.Z The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc https://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc Security Bulletin: Vulnerabilities in tcpdump affect AIX CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486 Note: See section IV for full CVE details. =============================================================================== SUMMARY: There are multiple vulnerabilities in tcpdump that impact AIX. =============================================================================== I. AFFECTED PRODUCTS AND VERSIONS: AIX 5.3, 6.1, 7.1, 7.2 The following fileset levels are vulnerable: key_fileset = aix Fileset Lower Level Upper Level KEY ----------------------------------------------------- bos.net.tcp.server 5.3.12.0 5.3.12.6 key_w_fs bos.net.tcp.server 6.1.9.0 6.1.9.201 key_w_fs bos.net.tcp.server 7.1.3.0 7.1.3.49 key_w_fs bos.net.tcp.server 7.1.4.0 7.1.4.31 key_w_fs bos.net.tcp.tcpdump 7.2.0.0 7.2.0.2 key_w_fs bos.net.tcp.tcpdump 7.2.1.0 7.2.1.0 key_w_fs Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i bos.net.tcp.server II. REMEDIATION: A. FIXES Fixes are available. The fixes can be downloaded via ftp or http from: ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_fix2.tar http://aix.software.ibm.com/aix/efixes/security/tcpdump_fix2.tar https://aix.software.ibm.com/aix/efixes/security/tcpdump_fix2.tar The links above are to a tar file containing this signed advisory, interim fixes, and OpenSSL signatures for each interim fix. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Interim Fix (*.Z) KEY ---------------------------------------------- 5.3.12.9 IV94729s9b.170425.epkg.Z key_w_fix 6.1.9.7 IV94728s9c.170420.epkg.Z key_w_fix 6.1.9.8 IV94728s9c.170420.epkg.Z key_w_fix 6.1.9.9 IV94728s9c.170420.epkg.Z key_w_fix 7.1.3.7 IV94727s9b.170417.epkg.Z key_w_fix 7.1.3.8 IV94727s9b.170417.epkg.Z key_w_fix 7.1.3.9 IV94727s9b.170417.epkg.Z key_w_fix 7.1.4.2 IV94726s4c.170417.epkg.Z key_w_fix 7.1.4.3 IV94726s4c.170417.epkg.Z key_w_fix 7.1.4.4 IV94726s4c.170417.epkg.Z key_w_fix 7.2.0.1 IV94724s4b.170417.epkg.Z key_w_fix 7.2.0.2 IV94724s4b.170417.epkg.Z key_w_fix 7.2.0.3 IV94724s4b.170417.epkg.Z key_w_fix 7.2.1.1 IV94723s2a.170414.epkg.Z key_w_fix 7.2.1.2 IV94723s2a.170414.epkg.Z key_w_fix 7.2.1.3 IV94723s2a.170414.epkg.Z key_w_fix To extract the fixes from the tar file: tar xvf tcpdump_fix2.tar cd tcpdump_fix2 Verify you have retrieved the fixes intact: The checksums below were generated using the "openssl dgst -sha256 " command as the following: openssl dgst -sha256 filename KEY ----------------------------------------------------------------------------------------------------- | 346f594ec89137c8bfd4d27998cb15abfd1993ff42d6e5d021ec215ca55d7131 IV94729s9b.170425.epkg.Z key_w_csum a2fc19f00b4ff99019916c379d314642483d323b7b9787abc32ecc0a05dd5241 IV94728s9c.170420.epkg.Z key_w_csum e2931d9ba01be3eb4d31a35153cbd79392ef7cf5b5fa09849c5b0613f6b05b0b IV94727s9b.170417.epkg.Z key_w_csum 6d39bdee9318b820748385f382ba6f365b121a53ee2818c546e0f65e0d312dbd IV94726s4c.170417.epkg.Z key_w_csum a4d1c36dec0f853dba468e105b57137695821818b4dbf51f4d991979fc010672 IV94724s4b.170417.epkg.Z key_w_csum e6619c4b98a45048e453b7fc2a3a27e3a34fb80d36d61a73145fa82e14a4dcd4 IV94723s2a.170414.epkg.Z key_w_csum These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Support at https://ibm.com/support/ and describe the discrepancy. openssl dgst -sha1 -verify -signature .sig openssl dgst -sha1 -verify -signature .sig Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc.sig https://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc.sig B. INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. C. APARS IBM has assigned the following APARs to this problem: AIX Level APAR Availability SP KEY ------------------------------------------------ 5.3.12 IV94729 ** N/A key_w_apar 6.1.9 IV94728 ** SP10 key_w_apar 7.1.3 IV94727 ** N/A key_w_apar 7.1.4 IV94726 ** SP5 key_w_apar 7.2.0 IV94724 ** SP5 key_w_apar 7.2.1 IV94723 ** SP3 key_w_apar ** Please refer to AIX support lifecycle information page for availability of Service Packs: http://www-01.ibm.com/support/docview.wss?uid=isg3T1012517 Subscribe to the APARs here: https://www.ibm.com/support/docview.wss?uid=isg1IV94729 https://www.ibm.com/support/docview.wss?uid=isg1IV94728 https://www.ibm.com/support/docview.wss?uid=isg1IV94727 https://www.ibm.com/support/docview.wss?uid=isg1IV94726 https://www.ibm.com/support/docview.wss?uid=isg1IV94723 https://www.ibm.com/support/docview.wss?uid=isg1IV94724 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. III. WORKAROUNDS AND MITIGATIONS: None. IV.VULNERABILITY DETAILS: Vulnerabilities in tcpdump affect AIX: CVEID: CVE-2016-7922 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7922 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the AH parser in the print-ah.c:ah_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/12158 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7923 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7923 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the ARP parser in the print-arp.c:arp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121550 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7924 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7924 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the ATM parser in the print-atm.c:oam_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121551 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7925 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7925 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the SLIP parser in the print-sl.c:sl_if_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121552 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7926 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-79267926 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the Ethernet parser in the print-ether.c:ethertype_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121553 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7927 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the IEEE 802.11 parser in the print-802_11.c:ieee802_11_radio_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121554 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7928 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7928 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the IPComp parser in the print-ipcomp.c:ipcomp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121555 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7930 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7930 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the LLC/SNAP parser in the print-llc.c:llc_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121557 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7931 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7931 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the MPLS parser in the print-mpls.c:mpls_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121558 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7932 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7932 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the PIM parser in the print-pim.c:pimv2_check_checksum() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121559 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7933 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7933â DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the PPP parser in the print-ppp.c:ppp_hdlc_if_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121560 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7934 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7934 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the RTCP parser in the print-udp.c:rtcp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121561 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7935 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the RTP parser in the print-udp.c:rtp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121562 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7936 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the UDP parser in the print-udp.c:udp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121563 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7937 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the VAT parser in the print-udp.c:vat_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121564 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7939 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the GRE parser in the print-gre.c and other functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121566 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7940 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the STP parser in the print-stp.c and other functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121567 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7973 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7973 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the AppleTalk parser in the print-atalk.c and other functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121568 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7974 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the IP parser in the print-ip.c and other functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121569 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7975 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the TCP parser in the print-tcp.c:tcp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121570 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7983 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the BOOTP parser in the print-bootp.c:bootp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121571 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7984 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7984 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the TFTP parser in the print-tftp.c:tftp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121572 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7992 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7992 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the Classical IP over ATM parser in the print-cip.c:cip_if_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121575 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-7993 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7993 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by multiple parsers in the util-print.c:relts_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121576 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-8574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8574 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the FRF.15 parser in the print-fr.c:frf15_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121577 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2016-8575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8575 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the Q.933 parser in the print-fr.c:q933_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121578 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5202 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the ISO CLNS parser in the print-isoclns.c:clnp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121579 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5203 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the BOOTP parser in the print-bootp.c:bootp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121580 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5204 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the IPv6 parser in the print-ip6.c:ip6_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121581 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5482 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the Q.933 parser in the print-fr.c:q933_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121585 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5483 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the SNMP parser in the print-snmp.c:asn1_parse() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121586 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5484 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the ATM parser in the print-atm.c:sig_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121587 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5485 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the ISO CLNS parser in the addrtoname.c:lookup_nsap() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121588 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2017-5486 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5486 DESCRIPTION: tcpdump is vulnerable to a buffer overflow, caused by improper bounds checking by the ISO CLNS parser in the print-isoclns.c:clnp_print() function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121589 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications https://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide https://www.first.org/cvss/user-guide On-line Calculator v3: http://www.first.org/cvss/calculator/3.0 https://www.first.org/cvss/calculator/3.0 ACKNOWLEDGEMENTS: None CHANGE HISTORY: First Issued: Thu May 25 11:23:13 CDT 2017 | Updated: Thu Jul 27 11:57:05 CDT 2017 | Update 1: Corrected the checksum value for iFix IV94729s9b.170425.epkg.Z =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.