CVE-2017-13688

Vulnerability

The OLSR parser in tcpdump before version 4.9.2 contains a buffer over-read in the function olsr_print() in print-olsr.c. The vulnerability is caused by insufficient bounds checking when processing OLSRv4 packets, allowing a crafted network packet to read beyond the allocated buffer boundaries. All versions prior to 4.9.2 are affected. The issue is described in CVE-2017-13688 and documented in the commit that introduces proper bounds checks [3].

Exploitation

An attacker with network access can send a malformed OLSR packet to a target system running a vulnerable version of tcpdump. No authentication is required, and the attack is triggered when tcpdump captures or processes the malicious packet during live capture or while reading a pcap file. The attacker does not need any special privileges beyond the ability to send network traffic to the target.

Impact

Successful exploitation results in an out-of-bounds read, potentially leading to information disclosure from the process's memory. In worst-case scenarios, the vulnerability may be leveraged to execute arbitrary code with the privileges of the tcpdump process, as indicated by the Gentoo security advisory [4]. The CVSS v3 base score of 9.8 (Critical) reflects the high impact on confidentiality, integrity, and availability without any requirement for user interaction or privileges.

Mitigation

The vulnerability is fixed in tcpdump version 4.9.2. The fix is available from the upstream repository [3] and included in vendor advisories from Apple [1], Red Hat [2], and Gentoo [4]. Users should upgrade tcpdump to version 4.9.2 or later. There is no known workaround for systems that cannot immediately be patched; blocking OLSR traffic at the network boundary may reduce exposure but does not fully mitigate the risk if tcpdump processes stored captures.