From 3n7r0py1 at gmail.com  Tue Jun  7 07:13:14 2016
From: 3n7r0py1 at gmail.com (entr0py)
Date: Tue, 7 Jun 2016 06:13:14 +0000
Subject: [Iftop-users] iftop Security
Message-ID: <575665FA.5030003@gmail.com>

Are there any security implications for running iftop continuously on an internet-facing production machine?
Have there been past vulnerabilities?
Would iftop be susceptible to libpcap vulnerabilities?
Does enabling promiscuous mode increase risk?

Thanks in advance!


From pdw at ex-parrot.com  Tue Jun  7 09:11:33 2016
From: pdw at ex-parrot.com (Paul Warren)
Date: Tue, 7 Jun 2016 09:11:33 +0100
Subject: [Iftop-users] iftop Security
In-Reply-To: <575665FA.5030003@gmail.com>
References: <575665FA.5030003@gmail.com>
Message-ID: <575681B5.8050107@ex-parrot.com>

On 07/06/2016 07:13, entr0py wrote:
> Are there any security implications for running iftop continuously on an internet-facing production machine?

Potentially.  It's code processing untrusted data that's typically 
running as root.  That said, the processing is of packet headers which 
are typically of fixed size so obvious buffer overflow vulnerabilities 
are unlikely.

> Have there been past vulnerabilities?

No.

> Would iftop be susceptible to libpcap vulnerabilities?

Yes.

> Does enabling promiscuous mode increase risk?

Yes, in that you'll see more packets than you would do otherwise.  Of 
course a targetted attack could just send the packet to your machine 
even if you weren't in promiscuous mode.

Paul