Nmap Development mailing list archives
Re: NPCAP GitHub Security Advisories
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 4 May 2021 10:11:51 -0500
I would like to add a clarification on the libpcap CVEs: since libpcap is a user-mode DLL (wpcap.dll in the Npcap installation), it is not capable of crashing the entire system. Instead, the impact of any CVEs would be limited to the application and user that is using the DLL. For specifics on the particular CVEs addressed, see the libpcap changelog at https://www.tcpdump.org/libpcap-changes.txt Dan On Sat, May 1, 2021 at 1:23 PM Gordon Fyodor Lyon <fyodor () nmap org> wrote:
Hi Jay. Good questions, and I'm glad you like Nmap and Npcap! We are not using GitHub's security feature at present. If we issued a security advisory for Npcap or Nmap, we would likely host it ourselves. But Github adds that tab to all projects by default and, from a quick glance at settings, I don't see an obvious way to remove it. I think your best bet is to sign up for release announcements through GitHub and look for entries tagged security. You can look for CVE references as well (like you did). And such entries normally link to an issue number or CVE that you can look up for more information. Regarding the specific 2 references to CVE's in the Npcap Changelog: * Issue #1398 / #1568 (CVE-2019-11490) -> This was a crash bug in just Npcap version 0.992 from 2019 which which was quickly discovered and fixed after the release. A local user of the system that was given access to Npcap could crash the system. The reporter speculated that privilege elevation by such an authorized user could be possible, which is worth noting even though it hasn't been demonstrated. * Libpcap 1.9.1 Update - Here we referenced that this update (also from 2019) by the Libpcap project addressed some CVE-identified vulnerabilities in Libpcap related to pcapng reading. We wanted to mention that (including the link to Libpcap changelog) so people could investigate if desired, but we haven't spent a lot of time investigating whether any of them could possibly affect Npcap in any way. If so, I think it would be another case where only local users of the system authorized to use Npcap (e.g. you can use admin mode to prevent non-admins) could exploit it, and most likely only to crash the system. I have just added 'security' labels to the Npcap and Nmap issues trackers that we can use to tag security-relevant or possibly security-relevant issues for easier searching. Our main goal is to quickly fix any and all bugs that have even a small chance of being security relevant. We don't usually spend a lot of time examining the potential exploitability of issues. Instead we try to do the quick release and clearly note any possibly security relevant issues even if it's probably not a major issue. That way users have all the information and can do their own investigation or just upgrade (which is recommended anyway). But if there was an issue which seems really serious (like remote exploitability) we would definitely try to announce that more widely. I hope this helps. -Gordon _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NPCAP GitHub Security Advisories Sethi, Jay (May 01)
- Re: NPCAP GitHub Security Advisories Gordon Fyodor Lyon (May 01)
- Re: NPCAP GitHub Security Advisories Daniel Miller (May 04)
- Re: NPCAP GitHub Security Advisories Gordon Fyodor Lyon (May 01)