CVE-2015-0261

Vulnerability

An integer signedness error exists in the mobility_opt_print function within the IPv6 mobility printer of tcpdump prior to version 4.7.2. When processing a malformed IPv6 mobility option, the function interprets a length field as a signed integer and passes a negative value to a memory operation, leading to an out-of-bounds read. This bug is reachable when tcpdump is used in live capture mode (without -w) or processes a crafted pcap file containing a malicious IPv6 packet. Affected versions include all tcpdump releases before 4.7.2 [1][2].

Exploitation

An attacker can trigger the vulnerability by sending a specially crafted IPv6 packet with a mobility header that contains a negative length value in the option field. No authentication is required; the attacker only needs to be able to inject packets onto a network segment where tcpdump is capturing traffic. The affected code path is reached when tcpdump decodes the mobility option, causing it to read beyond the buffer boundaries using the negative length as an index or size parameter [1][2].

Impact

Successful exploitation results in an out-of-bounds read that can cause tcpdump to crash, resulting in a denial of service. In some circumstances, the memory read may be leveraged by an attacker to execute arbitrary code on the system running tcpdump, potentially leading to a full compromise of the affected host [1]. The impact is rated Moderate by Red Hat, with a CVSS score not explicitly provided in the references but described as a medium-severity issue [2].

Mitigation

The vulnerability is fixed in tcpdump version 4.7.2 and later. Red Hat Enterprise Linux 7 users received an updated tcpdump package (4.9.0) as part of RHSA-2017:1871 [1]. Fedora distributions issued updates in March 2015 [3][4]. Users should upgrade to the latest version of tcpdump provided by their operating system vendor. No workarounds are documented; the only mitigation is to apply the patch or update the software.