why running your tcpdump sessions in a sandbox is a good idea from Loganaden Velvindron on 2015-04-03 (Mauritius Internet Users mailing list)

From: Loganaden Velvindron <loganaden_at_gmail.com>
Date: Fri, 3 Apr 2015 20:24:51 +0000

The latest version of tcpdump supports sandbox out of the box. Why
enable sandbox for tcpdump ?

Are there any real security benefit ?

Have a look at the 4 recent security advisories:
http://www.ubuntu.com/usn/usn-2433-1/

Steffen Bauch discovered that tcpdump incorrectly handled printing OSLR
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-8767)

Steffen Bauch discovered that tcpdump incorrectly handled printing GeoNet
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only applied to Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-8768)

Steffen Bauch discovered that tcpdump incorrectly handled printing AODV
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, reveal sensitive information, or possibly
execute arbitrary code. (CVE-2014-8769)

It was discovered that tcpdump incorrectly handled printing PPP packets. A
remote attacker could use this issue to cause tcpdump to crash, resulting
in a denial of service, or possibly execute arbitrary code.

Each time you run tcpdump on a web server, you're running the risk of
getting your webserver compromise, due to having multiple filter
loaded.

A single vulnerability in 1 tcpdump filter, means that it's possible
for an attacker to run arbitrary code as a superuser, which is very
bad.

By Sandboxing, we prevent an attacker from exploting a vulnerability
such as above and be able to perform remote code execution, as the
packet capture engine is isolated in a sandbox, where it cannot open
arbitrary files, or attempt to execute code, as the number of system
calls is limited.

The Internet is hostile, run tcpdump in a sandbox :)

//Kind regards,
//Logan
C-x-C-c

-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

Received on Fri Apr 03 2015 - 20:25:05 PST

This archive was generated by hypermail 2.3.0 : Fri Apr 03 2015 - 20:27:01 PST