CVE-2015-2154

Vulnerability

The osi_print_cksum() function in print-isoclns.c within the ethernet printer of tcpdump before version 4.7.2 lacks proper sanity checks on a crafted length, offset, or base pointer checksum value [1][2]. This allows an attacker to trigger an out-of-bounds read when the function passes invalid data to create_osi_cksum() in checksum.c [2].

Exploitation

An attacker can send specially crafted packets to a network segment where tcpdump is running in live capture mode (without the -w flag) or create a malicious pcap file that, when processed, causes tcpdump to call osi_print_cksum() with attacker-controlled checksum parameters that exceed buffer boundaries [2]. No authentication or special network position is required beyond the ability to inject packets or a crafted file [1].

Impact

Successful exploitation results in a denial of service due to an out-of-bounds read that crashes the tcpdump process [1][2]. The crash prevents the capture and display of network traffic; the advisory notes that this crash is the only observable impact [2].

Mitigation

The vulnerability is fixed in tcpdump version 4.7.2 and later [2]. Red Hat Enterprise Linux 7 received an updated tcpdump 4.9.0 as part of advisory RHSA-2017:1871 [1]. Fedora distributions backported the fix to version 4.7.3-1.fc21, 4.7.3-1.fc22, and 4.5.1-4.fc20 [2]. Users should upgrade to a patched version; no workaround is available other than restricting packet capture input.