Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NPCAP GitHub Security Advisories

From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 4 May 2021 10:11:51 -0500
I would like to add a clarification on the libpcap CVEs: since libpcap is a
user-mode DLL (wpcap.dll in the Npcap installation), it is not capable of
crashing the entire system. Instead, the impact of any CVEs would be
limited to the application and user that is using the DLL. For specifics on
the particular CVEs addressed, see the libpcap changelog at
https://www.tcpdump.org/libpcap-changes.txt

Dan

On Sat, May 1, 2021 at 1:23 PM Gordon Fyodor Lyon <fyodor () nmap org> wrote:


Hi Jay.  Good questions, and I'm glad you like Nmap and Npcap!  We are not
using GitHub's security feature at present.  If we issued a security
advisory for Npcap or Nmap, we would likely host it ourselves.  But Github
adds that tab to all projects by default and, from a quick glance at
settings, I don't see an obvious way to remove it.  I think your best bet
is to sign up for release announcements through GitHub and look for entries
tagged security.  You can look for CVE references as well (like you did).
And such entries normally link to an issue number or CVE that you can look
up for more information.  Regarding the specific 2 references to CVE's in
the Npcap Changelog:

* Issue #1398 / #1568 (CVE-2019-11490) -> This was a crash bug in just
Npcap version 0.992 from 2019 which which was quickly discovered and fixed
after the release.  A local user of the system that was given access to
Npcap could crash the system. The reporter speculated that privilege
elevation by such an authorized user could be possible, which is worth
noting even though it hasn't been demonstrated.

* Libpcap 1.9.1 Update - Here we referenced that this update (also from
2019) by the Libpcap project addressed some CVE-identified vulnerabilities
in Libpcap related to pcapng reading.  We wanted to mention that (including
the link to Libpcap changelog) so people could investigate if desired, but
we haven't spent a lot of time investigating whether any of them could
possibly affect Npcap in any way.  If so, I think it would be another case
where only local users of the system authorized to use Npcap (e.g. you can
use admin mode to prevent non-admins) could exploit it, and most likely
only to crash the system.

I have just added 'security' labels to the Npcap and Nmap issues trackers
that we can use to tag security-relevant or possibly security-relevant
issues for easier searching.

Our main goal is to quickly fix any and all bugs that have even a small
chance of being security relevant.  We don't usually spend a lot of time
examining the potential exploitability of issues.  Instead we try to do the
quick release and clearly note any possibly security relevant issues even
if it's probably not a major issue.  That way users have all the
information and can do their own investigation or just upgrade (which is
recommended anyway).  But if there was an issue which seems really serious
(like remote exploitability) we would definitely try to announce that more
widely.

I hope this helps.

-Gordon

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: