https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14313
Bug ID: 14313
Summary: dumpcap unconditionally enables the kernel's BPF JIT
compiler
Product: Wireshark
Version: 2.4.3
Hardware: x86
OS: Debian
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: TShark
Assignee: bugzilla-ad...@wireshark.org
Reporter: jadev...@mtu.edu
Target Milestone: ---
Created attachment 16064
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16064&action=edit
Patch to remove the relevant code entirely
Build Information:
TShark (Wireshark) 2.4.3 (Git v2.4.3 packaged as 2.4.3-1)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.54.2, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.13.0, with Lua
5.2.4, with GnuTLS 3.5.16, with Gcrypt 1.8.1, with MIT Kerberos, with GeoIP,
with nghttp2 1.28.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.14.0-3-amd64, with Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz
(with SSE4.2), with 3854 MB of physical memory, with locale
LC_CTYPE=en_US.UTF-8, LC_NUMERIC=en_US.UTF-8, LC_TIME=C, LC_COLLATE=C,
LC_MONETARY=en_US.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=en_US.UTF-8,
LC_NAME=en_US.UTF-8, LC_ADDRESS=en_US.UTF-8, LC_TELEPHONE=en_US.UTF-8,
LC_MEASUREMENT=en_US.UTF-8, LC_IDENTIFICATION=en_US.UTF-8, with libpcap version
1.8.1, with GnuTLS 3.5.16, with Gcrypt 1.8.1, with zlib 1.2.8.
Built using gcc 7.2.0.
--
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=dumpcap.c;hb=wireshark-2.4.3#l166
I'm sure this made sense to do for performance reasons when the code was first
added to dumpcap but the kernel's BPF JIT compiler is a known attack vector for
Spectre variant 1 (CVE-2017-5753). There have been at least two other CVEs in
the 4.14 kernel related to the BPF JIT compiler as well (CVE-2017-16995 and
CVE-2017-16996). There is no warning being given when dumpcap runs about it
changing this setting, instead the only warning is at the bottom of the help
output for dumpcap/tshark.
Since the default value of kernel.unprivileged_bpf_disabled is 0, this means
dumpcap is enabling the BPF JIT for unprivileged users and opening a security
hole on an otherwise securely configured system. An admin who believes
themselves safe from Spectre variant 1 (or other BPF JIT related CVE) because
net.core.bpf_jit_enable is 0 will inadvertantly and unknowingly introduce a
security hole to their system just by running a packet capture with wireshark
or tshark.
I've attached a patch to remove this code from dumpcap along with the related
messsages in the help output of dumpcap and tshark. A more complicated approach
which considers or changes the value of kernel.unprivileged_bpf_disabled is
also possible, but at this point I believe it is better to just not touch these
settings at all.
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe