Package: arpwatch
Version: 2.1a15-9
Severity: grave
Tags: security
X-Debbugs-CC: [email protected]
Dear Maintainer,
arpwatch 2.1a15 contains a heap buffer overflow in db.c. When arpwatch
performs a reverse DNS lookup for an IP address observed in ARP traffic,
the resolved hostname is copied into a fixed 34-byte buffer without length
validation. A DNS response containing a hostname longer than 33 characters
(valid per RFC 1035, max 253 characters) overflows the buffer by up to
219 bytes.
The fix is present in upstream arpwatch 3.0 (released 2019-12-01) but
Debian bookworm still ships version 2.1a15 from 2000.
VULNERABLE CODE
===============
File: db.c
struct einfo {
u_char e[6]; /* ether address */
char h[34]; /* simple hostname <- only 34 bytes */
time_t t; /* timestamp */
};
Two affected locations:
1. elist_alloc() -- called when a new IP/MAC pair is first seen:
h = getsname(a);
if (h != NULL && !isdigit((int)*h))
strcpy(ep->h, h); /* <- overflow if len(h) > 33 */
2. check_hname() -- called when hostname changes:
h = getsname(ap->a);
if (!isdigit((int)*h) && strcmp(h, ep->h) != 0) {
strcpy(ep->h, h); /* <- overflow if len(h) > 33 */
}
getsname() calls gethostbyaddr() and truncates the result at the first
'.' (to strip the domain). A PTR record containing a label without dots
(e.g. 253 'A' characters) passes through untruncated and causes the
overflow.
ATTACK SCENARIO
===============
1. arpwatch is running and monitoring a network interface.
2. An ARP packet is observed for an IP address.
3. arpwatch performs a reverse DNS lookup (PTR query) for that IP.
4. An attacker who controls the DNS response (via rogue DNS server,
DNS cache poisoning, or control of the PTR record for the IP)
returns a hostname of 34 or more characters without any dots.
5. strcpy(ep->h, h) overflows the 34-byte heap buffer by up to 219
bytes, corrupting adjacent heap metadata.
On Debian, arpwatch typically runs as root or a dedicated user with
CAP_NET_RAW. A successful exploit could achieve arbitrary code execution
with those privileges.
FIX IN UPSTREAM 3.x
====================
Fixed in arpwatch 3.0 (2019-12-01) with two changes:
1. Buffer size increased from 34 to 64 bytes:
char h[64]; /* simple hostname */
2. strcpy replaced with bounded copy:
strncpy(ep->h, h, sizeof(ep->h));
ep->h[sizeof(ep->h) - 1] = '\0';
Recommended remediation: update the Debian package from 2.1a15 to the
current upstream release (3.6, 2024-01-21).
Upstream source:
https://ee.lbl.gov/downloads/arpwatch/arpwatch-3.6.tar.gz
CVSS ESTIMATE
=============
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H -- Score: 8.1 (High)
DISCLOSURE TIMELINE
===================
2026-05-21 Vulnerability identified during source code audit
2026-05-21 Report submitted to [email protected]
2026-05-22 Report submitted to Debian BTS per Moritz Mühlenhoff request
Reporter: Igor Garofano <[email protected]>
*Igor Garofano*
Cyber Security Specialist
*+39-3922283057*
*EC-council CTIA, CEH v10, CHFI, ITIL v3, Splunk, IBM Qradar Siem
Foundation, Oracle Cloud Architect Associate, **Google Cloud Architect,**
NSE4.*
