Bug 14919

Summary: ettercap new security issues CVE-2014-639[56], CVE-2014-937[6-9], and CVE-2014-938[01]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dpremy, herman.viaene, pterjan, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/628174/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: ettercap-0.8.0-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-12-30 18:40:35 CET 
An advisory has been issued on December 16:
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/

The Debian LTS advisory just listed two of the CVEs, as those probably were the only ones that affected the 0.7.x version that they had.  We're probably affected by more of them as we have version 0.8.0.

Upstream commits to fix the issues are linked in the Obrela advisory.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-30 18:40:44 CET

Whiteboard: (none) => MGA4TOO

David Walser 2014-12-30 18:40:59 CET

Blocks: (none) => 14674

Comment 1 David Walser 2014-12-30 21:44:36 CET 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated ettercap package fixes security vulnerabilities:

Heap-based buffer overflow in the dissector_postgresql function in
dissectors/ec_postgresql.c in Ettercap before 8.1 allows remote attackers to
cause a denial of service or possibly execute arbitrary code via a crafted
password length value that is inconsistent with the actual length of the
password (CVE-2014-6395).

The dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap
before 8.1 allows remote attackers to cause a denial of service and possibly
execute arbitrary code via a crafted password length, which triggers a 0
character to be written to an arbitrary memory location (CVE-2014-6396).

Integer underflow in Ettercap 8.1 allows remote attackers to cause a denial
of service (out-of-bounds write) and possibly execute arbitrary code via a
small size variable value in the dissector_dhcp function in
dissectors/ec_dhcp.c, length value to the dissector_gg function in
dissectors/ec_gg.c, or string length to the get_decode_len function in
ec_utils.c or a request without a username or password to the
dissector_TN3270 function in dissectors/ec_TN3270.c (CVE-2014-9376).

Heap-based buffer overflow in the nbns_spoof function in
plug-ins/nbns_spoof/nbns_spoof.c in Ettercap 8.1 allows remote attackers to
cause a denial of service or possibly execute arbitrary code via a large
netbios packet (CVE-2014-9377).

Ettercap 8.1 does not validate certain return values, which allows remote
attackers to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted name to the parse_line function in mdns_spoof/mdns_spoof.c
or base64 encoded password to the dissector_imap function in
dissectors/ec_imap.c (CVE-2014-9378).

The radius_get_attribute function in dissectors/ec_radius.c in Ettercap 8.1
performs an incorrect cast, which allows remote attackers to cause a denial
of service (crash) or possibly execute arbitrary code via unspecified
vectors, which triggers a stack-based buffer overflow (CVE-2014-9379).

The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 allows
remote attackers to cause a denial of service (out-of-bounds read) via a
packet containing only a CVS_LOGIN signature (CVE-2014-9380).

Integer signedness error in the dissector_cvs function in dissectors/ec_cvs.c
in Ettercap 8.1 allows remote attackers to cause a denial of service (crash)
via a crafted password, which triggers a large memory allocation
(CVE-2014-9381).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9381
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1402/
========================

Updated packages in core/updates_testing:
========================
ettercap-0.8.0-3.1.mga4

from ettercap-0.8.0-3.1.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Summary: ettercap new security issues CVE-2014-9380, CVE-2014-9381, and possibly others => ettercap new security issues CVE-2014-639[56], CVE-2014-937[6-9], and CVE-2014-938[01]
Whiteboard: MGA4TOO => (none)
Assignee: pterjan => qa-bugs
CC: (none) => pterjan

Comment 2 David Remy 2015-01-04 04:00:45 CET 
Tested on mga4 32bit OK

Didn't see a POC so I ran it through a few different ways I use it. Didn't see any issues with what I tested and all plugins listed loaded without issue.

ettercap -T
ettercap -G
ettercap -C

CC: (none) => dpremy

David Remy 2015-01-04 04:02:12 CET

Whiteboard: (none) => mga4-32-ok

Comment 3 Herman Viaene 2015-01-05 10:19:59 CET 
MGA4-64 ON HP Probook 6555b KDE Wifi connected
This PC did not have an older ettercap  installation.
No installation issues.
Tried commands as per Comment 2
$ ettercap -T
ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team
ERROR : 1, Operation not permitted
[/home/iurt/rpmbuild/BUILD/ettercap-0.8.0/src/ec_network.c:network_init:67]
Surely there is no /home/iurt/ on my PC. This command bombs out.
ettercap -G
opens GUI application, but when I select Sniff - Unified sniffing, there is no device available.
ettercap -C
Application opens, but as soon as I navigate to Sniff - Unified sniffing, the program bombs out.
Disconnected WiFi and connected Ethernet cable: still no device.

CC: (none) => herman.viaene

Comment 4 William Kenney 2015-01-05 16:27:09 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
ettercaap

default install of ettercap

[root@localhost wilcal]# urpmi ettercap
Package ettercap-0.8.0-3.mga4.i586 is already installed

[root@localhost wilcal]# ettercap -T

ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team

Listening on:
enp0s3 -> 08:00:27:84:88:A0
          192.168.1.88/255.255.255.0
          fe80::a00:27ff:fe84:88a0/64
          2602:306:ce13:d0b0:a00:27ff:fe84:88a0/64.....

ettercap -G & ettercap -C opens ettercap dialog window.

install ettercap from updates_testing

[root@localhost wilcal]# urpmi ettercap
Package ettercap-0.8.0-3.1.mga4.i586 is already installed

[root@localhost wilcal]# ettercap -T

ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team

Listening on:
enp0s3 -> 08:00:27:84:88:A0
          192.168.1.88/255.255.255.0
          fe80::a00:27ff:fe84:88a0/64
          2602:306:ce13:d0b0:a00:27ff:fe84:88a0/64.....
          
ettercap -G & ettercap -C opens ettercap dialog window.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 5 William Kenney 2015-01-05 16:41:12 CET 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
ettercaap

default install of ettercap

[root@localhost wilcal]# urpmi ettercap
Package ettercap-0.8.0-3.mga4.x86_64 is already installed

[root@localhost wilcal]# ettercap -T

ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team

Listening on:
enp0s3 -> 08:00:27:A7:DA:FC
          192.168.1.130/255.255.255.0
          fe80::a00:27ff:fea7:dafc/64
          2602:306:ce13:d0b0:a00:27ff:fea7:dafc/64.....

ettercap -G & ettercap -C opens ettercap dialog window.

install ettercap from updates_testing

[root@localhost wilcal]# urpmi ettercap
Package ettercap-0.8.0-3.1.mga4.x86_64 is already installed

[root@localhost wilcal]# urpmi ettercap
Package ettercap-0.8.0-3.1.mga4.x86_64 is already installed

[root@localhost wilcal]# ettercap -T

ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team

Listening on:
enp0s3 -> 08:00:27:A7:DA:FC
          192.168.1.130/255.255.255.0
          fe80::a00:27ff:fea7:dafc/64
          2602:306:ce13:d0b0:a00:27ff:fea7:dafc/64.....
          
ettercap -G & ettercap -C opens ettercap dialog window.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2015-01-05 16:44:20 CET 
For me this update works fine. It monitors the
traffic in a root terminal with the ettercap -T command.
I think if there are performance issues that should be
a seperate bug. This is a security update only.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-32-ok => mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2015-01-05 22:36:04 CET 
LWN reference for the rest of the CVEs:
http://lwn.net/Vulnerabilities/628525/
Comment 8 claire robinson 2015-01-07 16:39:00 CET 
Advisory uploaded.

Whiteboard: mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok

Comment 9 Mageia Robot 2015-01-07 17:32:48 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0012.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED