Multiple Vulnerabilities in tcpdump
A Debian security update for tcpdump 32 different vulnerabilities in tcpdump that are addressed by this update [1]. While there are not a lot of details available yet, some of the vulnerabilities can apparently be used to execute arbitrary code.
This is in particular worrying if you use tcpdump to look at live attack traffic. Of course, remember that you can have tcpdump relinquish its root privileges after you start it up (-Z userid) , but it would still have the ability to execute code as the user running tcpdump.
All tcpdump versions prior to 4.9.0 may be vulnerable. (again, not a lot of details yet). Based on a quick look at the vulnerabliity summaries below, it looks like various "print" functions are affected. These functions should not be called if you just write a packets to a file using the "-w" option in tcpdump. So the best way to run tcpdump until you are patched:
tcpdump -Z nobody -w filename ...[other options]...
("nobody" may not be the best choice for your platform. Pick a low privilege user that works for you)
CVE Number | Description |
CVE-2016-7922 | The AH parser in tcpdump before 4.9.0 has a buffer overflow in print-ah.c:ah_print(). |
CVE-2016-7923 | The ARP parser in tcpdump before 4.9.0 has a buffer overflow in print-arp.c:arp_print(). |
CVE-2016-7924 | The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:oam_print(). |
CVE-2016-7925 | The compressed SLIP parser in tcpdump before 4.9.0 has a buffer overflow in print-sl.c:sl_if_print(). |
CVE-2016-7926 | The Ethernet parser in tcpdump before 4.9.0 has a buffer overflow in print-ether.c:ethertype_print(). |
CVE-2016-7927 | The IEEE 802.11 parser in tcpdump before 4.9.0 has a buffer overflow in print-802_11.c:ieee802_11_radio_print(). |
CVE-2016-7928 | The IPComp parser in tcpdump before 4.9.0 has a buffer overflow in print-ipcomp.c:ipcomp_print(). |
CVE-2016-7929 | The Juniper PPPoE ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-juniper.c:juniper_parse_header(). |
CVE-2016-7930 | The LLC/SNAP parser in tcpdump before 4.9.0 has a buffer overflow in print-llc.c:llc_print(). |
CVE-2016-7931 | The MPLS parser in tcpdump before 4.9.0 has a buffer overflow in print-mpls.c:mpls_print(). |
CVE-2016-7932 | The PIM parser in tcpdump before 4.9.0 has a buffer overflow in print-pim.c:pimv2_check_checksum(). |
CVE-2016-7933 | The PPP parser in tcpdump before 4.9.0 has a buffer overflow in print-ppp.c:ppp_hdlc_if_print(). |
CVE-2016-7934 | The RTCP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtcp_print(). |
CVE-2016-7935 | The RTP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:rtp_print() |
CVE-2016-7936 | The UDP parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:udp_print(). |
CVE-2016-7937 | The VAT parser in tcpdump before 4.9.0 has a buffer overflow in print-udp.c:vat_print(). |
CVE-2016-7938 | The ZeroMQ parser in tcpdump before 4.9.0 has an integer overflow in print-zeromq.c:zmtp1_print_frame(). |
CVE-2016-7939 | The GRE parser in tcpdump before 4.9.0 has a buffer overflow in print-gre.c, multiple functions. |
CVE-2016-7940 | The STP parser in tcpdump before 4.9.0 has a buffer overflow in print-stp.c, multiple functions. |
CVE-2016-7973 | The AppleTalk parser in tcpdump before 4.9.0 has a buffer overflow in print-atalk.c, multiple functions. |
CVE-2016-7974 | The IP parser in tcpdump before 4.9.0 has a buffer overflow in print-ip.c, multiple functions. |
CVE-2016-7975 | The TCP parser in tcpdump before 4.9.0 has a buffer overflow in print-tcp.c:tcp_print(). |
CVE-2016-7983 | The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). |
CVE-2016-7984 | The TFTP parser in tcpdump before 4.9.0 has a buffer overflow in print-tftp.c:tftp_print(). |
CVE-2016-7985 | The CALM FAST parser in tcpdump before 4.9.0 has a buffer overflow in print-calm-fast.c:calm_fast_print(). |
CVE-2016-7986 | The GeoNetworking parser in tcpdump before 4.9.0 has a buffer overflow in print-geonet.c, multiple functions. |
CVE-2016-7992 | The Classical IP over ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-cip.c:cip_if_print(). |
CVE-2016-7993 | A bug in util-print.c:relts_print() in tcpdump before 4.9.0 could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). |
CVE-2016-8574 | The FRF.15 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:frf15_print(). |
CVE-2016-8575 | The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2017-5482. |
CVE-2017-5202 | The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). |
CVE-2017-5203 | The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). |
CVE-2017-5204 | The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print(). |
CVE-2017-5205 | The ISAKMP parser in tcpdump before 4.9.0 has a buffer overflow in print-isakmp.c:ikev2_e_print(). |
CVE-2017-5341 | The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print-otv.c:otv_print(). |
CVE-2017-5342 | In tcpdump before 4.9.0, a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). |
CVE-2017-5482 | The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2016-8575. |
CVE-2017-5483 | The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print-snmp.c:asn1_parse() |
CVE-2017-5484 | The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:sig_print(). |
CVE-2017-5485 | The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in addrtoname.c:lookup_nsap(). |
CVE-2017-5486 | The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). |
[1] https://www.debian.org/security/2017/dsa-3775
UPDATE RW: tcpdump 4.9.0 has been released to address these vulnerabilities
Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
Comments