All posts by 007admin

Ubuntu

USN-3239-3: GNU C Library regression

Ubuntu Security Notice USN-3239-3

24th March, 2017

eglibc regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

USN-3239-1 introduced a regression in the GNU C Library.

Software description

  • eglibc
    – GNU C Library

Details

USN-3239-1 fixed vulnerabilities in the GNU C Library. Unfortunately,
the fix for CVE-2016-3706 introduced a regression that in some
circumstances prevented IPv6 addresses from resolving. This update
reverts the change in Ubuntu 12.04 LTS. We apologize for the error.

Original advisory details:

It was discovered that the GNU C Library incorrectly handled the
strxfrm() function. An attacker could use this issue to cause a denial
of service or possibly execute arbitrary code. This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)

It was discovered that an integer overflow existed in the
_IO_wstr_overflow() function of the GNU C Library. An attacker could
use this to cause a denial of service or possibly execute arbitrary
code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2015-8983)

It was discovered that the fnmatch() function in the GNU C Library
did not properly handle certain malformed patterns. An attacker could
use this to cause a denial of service. This issue only affected Ubuntu
12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984)

Alexander Cherepanov discovered a stack-based buffer overflow in the
glob implementation of the GNU C Library. An attacker could use this
to specially craft a directory layout and cause a denial of service.
(CVE-2016-1234)

Michael Petlan discovered an unbounded stack allocation in the
getaddrinfo() function of the GNU C Library. An attacker could use
this to cause a denial of service. (CVE-2016-3706)

Aldy Hernandez discovered an unbounded stack allocation in the sunrpc
implementation in the GNU C Library. An attacker could use this to
cause a denial of service. (CVE-2016-4429)

Tim Ruehsen discovered that the getaddrinfo() implementation in the
GNU C Library did not properly track memory allocations. An attacker
could use this to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-5417)

Andreas Schwab discovered that the GNU C Library on ARM 32-bit
platforms did not properly set up execution contexts. An attacker
could use this to cause a denial of service. (CVE-2016-6323)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libc6

2.15-0ubuntu10.18

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

https://bugs.launchpad.net/bugs/1674776

Security

NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow

The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Brute-forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be brute-forced. This Metasploit module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested – with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses.

Fedora

tcpreplay-4.2.1-1.el5

Here is what is fixed in this release:

– Fix reporting of rates < 1Mbps (#348)
– Option –unique-ip not working properly (#346)

—-

Features and fixes include:

– MAC rewriting capabilities by Pedro Arthur (#313)
– Fix several issues identified by Coverity (#305)
– Packet distortion –fuzz-seed option by Gabriel Ganne (#302)
– Add –unique-ip-loops option to modify IPs every few loops (#296)
– Netmap startup delay increase (#290)
– tcpcapinfo buffer overflow vulnerablily (#278)
– Update git-clone instructions by Kyle McDonald (#277)
– Allow fractions for –pps option (#270)
– Print per-loop stats with –stats=0 (#269)
– Add protection against packet drift by Guillaume Scott (#268)
– Print flow stats periodically with –stats output (#262)
– Include Travis-CI build support by Ilya Shipitsin (#264) (#285)
– tcpreplay won’t replay all packets in a pcap file with –netmap (#255)
– First and last packet times in –stats output (#239)
– Switch to wire speed after 30 minutes at 6 Gbps (#210)
– tcprewrite fix checksum properly for fragmented packets (#190)

Fedora

tcpreplay-4.2.1-1.fc25

Here is what is fixed in this release:

– Fix reporting of rates < 1Mbps (#348)
– Option –unique-ip not working properly (#346)

—-

Features and fixes include:

– MAC rewriting capabilities by Pedro Arthur (#313)
– Fix several issues identified by Coverity (#305)
– Packet distortion –fuzz-seed option by Gabriel Ganne (#302)
– Add –unique-ip-loops option to modify IPs every few loops (#296)
– Netmap startup delay increase (#290)
– tcpcapinfo buffer overflow vulnerablily (#278)
– Update git-clone instructions by Kyle McDonald (#277)
– Allow fractions for –pps option (#270)
– Print per-loop stats with –stats=0 (#269)
– Add protection against packet drift by Guillaume Scott (#268)
– Print flow stats periodically with –stats output (#262)
– Include Travis-CI build support by Ilya Shipitsin (#264) (#285)
– tcpreplay won’t replay all packets in a pcap file with –netmap (#255)
– First and last packet times in –stats output (#239)
– Switch to wire speed after 30 minutes at 6 Gbps (#210)
– tcprewrite fix checksum properly for fragmented packets (#190)

Fedora

tcpreplay-4.2.1-1.el6

Here is what is fixed in this release:

– Fix reporting of rates < 1Mbps (#348)
– Option –unique-ip not working properly (#346)

—-

Features and fixes include:

– MAC rewriting capabilities by Pedro Arthur (#313)
– Fix several issues identified by Coverity (#305)
– Packet distortion –fuzz-seed option by Gabriel Ganne (#302)
– Add –unique-ip-loops option to modify IPs every few loops (#296)
– Netmap startup delay increase (#290)
– tcpcapinfo buffer overflow vulnerablily (#278)
– Update git-clone instructions by Kyle McDonald (#277)
– Allow fractions for –pps option (#270)
– Print per-loop stats with –stats=0 (#269)
– Add protection against packet drift by Guillaume Scott (#268)
– Print flow stats periodically with –stats output (#262)
– Include Travis-CI build support by Ilya Shipitsin (#264) (#285)
– tcpreplay won’t replay all packets in a pcap file with –netmap (#255)
– First and last packet times in –stats output (#239)
– Switch to wire speed after 30 minutes at 6 Gbps (#210)
– tcprewrite fix checksum properly for fragmented packets (#190)

—-

Patch CVE-2017-6429.

Tcpcapinfo utility of Tcpreplay has a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle.

References:

http://seclists.org/bugtraq/2017/Mar/22

Upstream bug:

https://github.com/appneta/tcpreplay/issues/278