VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 3, 2019· Updated Aug 5, 2024

CVE-2018-14469

CVE-2018-14469

Description

A buffer over-read in the IKEv1 parser of tcpdump before 4.9.3 allows remote attackers to cause a denial of service or possibly execute arbitrary code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in the IKEv1 parser of tcpdump before 4.9.3 allows remote attackers to cause a denial of service or possibly execute arbitrary code.

Vulnerability

The IKEv1 parser in tcpdump before version 4.9.3 contains a buffer over-read vulnerability in print-isakmp.c within the ikev1_n_print() function. When tcpdump processes a specially crafted IKEv1 packet, the parser reads beyond the allocated buffer boundary, leading to undefined behavior. The vulnerability affects all versions of tcpdump prior to 4.9.3. [1][2][3][4]

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a malicious IKEv1 packet to a target system running a vulnerable version of tcpdump. The attacker needs no special privileges; simply capturing or analyzing network traffic containing the crafted IKEv1 packet triggers the buffer over-read. Successful exploitation may require the attacker to control the network path to ensure the malicious packet is processed by tcpdump. [2][3]

Impact

Exploitation of the buffer over-read can lead to a denial of service via crash of the tcpdump process. In some scenarios, it may allow an attacker to execute arbitrary code with the privileges of the tcpdump process. The impact can range from service disruption to potential remote code execution, depending on the exact exploitation technique used. [2][3]

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3, which was released on September 24, 2018 [4]. Users should upgrade to tcpdump 4.9.3 or later. Distributions such as Ubuntu have released patched packages (e.g., tcpdump 4.9.3-0ubuntu0.18.04.1 for Ubuntu 18.04 LTS) [3]. Apple addressed this issue (as CVE-2019-8837) in macOS Catalina 10.15.2 and other updates [1]. There are no known workarounds for unpatched installations; upgrading is the recommended solution.

References
  1. About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support
  2. USN-4252-2: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu
  3. USN-4252-1: tcpdump vulnerabilities | Ubuntu security notices | Ubuntu
  4. tcpdump/CHANGES at tcpdump-4.9 · the-tcpdump-group/tcpdump

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11

Patches

2
d9a693b04326

VERSION set for release

https://github.com/the-tcpdump-group/tcpdumpMichael RichardsonSep 30, 2019via osv
commit
1 file changed · +1 1
  • VERSION+1 1 modified
    @@ -1 +1 @@
-4.9.3rc2
+4.9.3
396e94ff55a8

(for 4.9.3) CVE-2018-14469/ISAKMP: Add a missing bounds check

https://github.com/the-tcpdump-group/tcpdumpFrancois-Xavier Le BailOct 8, 2017via osv
commit
4 files changed · +10 0
  • print-isakmp.c+1 0 modified
    @@ -1769,6 +1769,7 @@ ikev1_n_print(netdissect_options *ndo, u_char tpay _U_,
 		    }
 		case IPSECDOI_NTYPE_REPLAY_STATUS:
 			ND_PRINT((ndo," status=("));
+			ND_TCHECK_32BITS(cp);
 			ND_PRINT((ndo,"replay detection %sabled",
 				  EXTRACT_32BITS(cp) ? "en" : "dis"));
 			ND_PRINT((ndo,")"));
  • tests/isakmp-ikev1_n_print-oobr.out+8 0 added
    @@ -0,0 +1,8 @@
+IP (tos 0x12,ECT(0), ttl 17, id 47119, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->327b)!)
+    80.236.128.20.500 > 12.251.0.45.49152: isakmp 2.12 msgid 10101010: child_sa  ikev2_auth[V]:
+    (n: doi=0 proto=128 type=#24577) [|#126] (len mismatch: isakmp 4278190080/ip 268)
+IP (tos 0x12,ECT(0), ttl 17, id 21263, offset 72, flags [+, DF, rsvd], proto unknown (40), length 296, bad cksum fbff (->9847)!)
+    80.0.128.20 > 12.251.0.45: ip-proto-40
+IP (tos 0x15,ECT(1), ttl 17, id 21263, offset 0, flags [+, DF, rsvd], proto UDP (17), length 296, bad cksum 1ff (->9864)!)
+    80.0.128.20.500 > 12.251.0.45.49152: isakmp 2.12 msgid 1010100b: child_sa  ikev2_auth[V]:
+    (n: doi=ipsec proto=#16 type=REPLAY-STATUS spi=04 status=( [|n]) (len mismatch: isakmp 620756992/ip 268)
  • tests/isakmp-ikev1_n_print-oobr.pcap+0 0 added
  • tests/TESTLIST+1 0 modified
    @@ -551,6 +551,7 @@ radius_attr_asan	radius_attr_asan.pcap		radius_attr_asan.out	-v
 ospf6_decode_v3_asan	ospf6_decode_v3_asan.pcap	ospf6_decode_v3_asan.out -v
 ip_ts_opts_asan		ip_ts_opts_asan.pcap		ip_ts_opts_asan.out	-v
 isakmpv1-attr-oobr	isakmpv1-attr-oobr.pcap		isakmpv1-attr-oobr.out	-v
+isakmp-ikev1_n_print-oobr isakmp-ikev1_n_print-oobr.pcap isakmp-ikev1_n_print-oobr.out -v -c3
 # The .pcap file is truncated after the 1st packet.
 hncp_dhcpv6data-oobr	hncp_dhcpv6data-oobr.pcap	hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr	hncp_dhcpv4data-oobr.pcap	hncp_dhcpv4data-oobr.out -v -c1

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.