Bug 26885 - tcpreplay new security issue CVE-2020-12740
Summary: tcpreplay new security issue CVE-2020-12740
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-01 22:53 CEST by David Walser
Modified: 2020-07-05 13:27 CEST (History)
5 users (show)

See Also:
Source RPM: tcpreplay-4.3.2-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-07-01 22:53:46 CEST 
Fedora has issued an advisory on June 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4YAT4AGTHQKB74ETOQPJMV67TSDIAPOC/

Mageia 7 is also affected.
David Walser 2020-07-01 22:54:04 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-07-03 08:14:18 CEST 
Fixed upstream in 4.3.3 release.

Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2020-07-03 19:00:44 CEST 
Advisory:
========================

Updated tcpreplay package fixes security vulnerability:

tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-read during
a get_c operation. The issue is being triggered in the function get_ipv6_next()
at common/get.c (CVE-2020-12740).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12740
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4YAT4AGTHQKB74ETOQPJMV67TSDIAPOC/
========================

Updated packages in core/updates_testing:
========================
tcpreplay-4.3.3-1.mga7

from tcpreplay-4.3.3-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 7

Comment 3 Len Lawrence 2020-07-04 03:33:43 CEST 
CVE-2020-12740
https://github.com/appneta/tcpreplay/issues/576
Leads to three files:
https://github.com/14isnot40/vul_discovery/tree/master/tcpreplay/get_ipv6_next/poc
etc.

tcpreplay 4.3.2
$ tcprewrite -i poc1 -o /dev/null --fuzz-seed=42
Segfault with the fuzz-seed, nothing otherwise.
The extra parameter probably does not mean anything unless the package is compiled with asan support.

Updated the package.
tcpreplay 4.3.3
$ tcprewrite -i poc1 -o /dev/null --fuzz-seed=42

Fatal Error: Error rewriting packets: From edit_packet.c:fix_ipv4_checksums() line 73:
Invalid packet: Expected IPv4 packet: got 6
Without fuzzer parameter:
$ tcprewrite -i poc1 -o /dev/null
$

So maybe this is a good PoC test.  Cannot be certain.
--------------------------------------------------------
$ tcprewrite --infile=test1.pcap --outfile=new.pcap
$ ll test1.pcap new.pcap
-rw-r--r-- 1 lcl lcl 202121 Jul  4 02:20 new.pcap
-rw-r--r-- 1 lcl lcl 202121 Jul  4 01:51 test1.pcap
Note: not the way it is intended to be used (just a copy as it stands).  There are many options, all a bit technical.

$ tcpreplay --listnics
vailable network interfaces:
enp3s0
any
bluetooth-monitor
nflog
nfqueue
bluetooth0
$ tcprewrite --infile=test2.pcap --outfile=new.pcap 
Warning: test2.pcap was captured using a snaplen of 500 bytes.  This may mean you have truncated packets.
# tcpreplay -i enp3s0 test2.pcap
Warning: test2.pcap was captured using a snaplen of 500 bytes.  This may mean you have truncated packets.
^C User interrupt...
sendpacket_abort
Actual: 55 packets (13156 bytes) sent in 52.14 seconds
Rated: 252.3 Bps, 0.002 Mbps, 1.05 pps
Flows: 1 flows, 0.01 fps, 55 flow packets, 0 non-flow
Statistics for network device: enp3s0
	Successful packets:        54
	Failed packets:            0
	Truncated packets:         0
	Retried packets (ENOBUFS): 0
	Retried packets (EAGAIN):  0

# tcpreplay -v -i enp3s0 test2.pcap
Warning: test2.pcap was captured using a snaplen of 500 bytes.  This may mean you have truncated packets.
reading from file -, link-type EN10MB (Ethernet)
01:00:00.000000 IP 208.21.2.184.1512 > 10.1.1.99.53: 12295 updateMA Resp12*-| [30980q][|domain]
01:00:01.000001 IP truncated-ip - 27 bytes missing! 208.21.2.184.1512 > 10.1.1.99.53: [|domain]
01:00:02.000002 IP 208.21.2.184.1512 > 10.1.1.99.53: 12337 op7 NoChange- [6466q][|domain]
01:00:03.000003 IP 208.21.2.184.1512 > 10.1.1.99.53: 12316 updateM [b2&3=0x6440] [7904a] [8443q] [35785n] [14306au] Type39694 (Class 9587)? <BAD PTR>[|domain]
[...]
^C User interrupt...
sendpacket_abort
tcpdump: pcap_loop: error reading dump file: Interrupted system call
Actual: 8 packets (1959 bytes) sent in 5.78 seconds
Rated: 338.8 Bps, 0.002 Mbps, 1.38 pps
Flows: 1 flows, 0.17 fps, 8 flow packets, 0 non-flow
Statistics for network device: enp3s0
	Successful packets:        7
	Failed packets:            0
	Truncated packets:         0
	Retried packets (ENOBUFS): 0
	Retried packets (EAGAIN):  0
 
That is as far as we can take it.  Good enough hopefully.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-07-04 03:43:04 CEST 
Taking your word for it, Len. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 12:50:31 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 5 Mageia Robot 2020-07-05 13:27:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0278.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.