CVE-2018-16229

Vulnerability

A buffer over-read vulnerability exists in the DCCP protocol parser in tcpdump versions before 4.9.3. The flaw resides in the dccp_print_option() function within print-dccp.c. When processing malformed DCCP packets, the function reads beyond the bounds of a buffer, leading to potential memory corruption or information disclosure. The issue is triggered when tcpdump handles packets with crafted options, as demonstrated in the test captures added in the fix commit [2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted DCCP packet to a target system where tcpdump is running in capture mode. No authentication or additional privileges are required beyond network access to the target. The attacker would transmit a DCCP packet containing malformed option data that causes tcpdump to read past the allocated buffer. The exploitation does not require user interaction other than the target running tcpdump in a capture session [2].

Impact

Successful exploitation results in a buffer over-read, which can cause tcpdump to crash or expose sensitive information from memory. The primary impact is denial of service (availability), as the process may terminate unexpectedly. In some configurations, this could lead to memory disclosure (confidentiality breach) if the over-read leaks data. The attack does not provide code execution or privilege escalation [1][2].

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3, released on October 3, 2019. Users should update to tcpdump 4.9.3 or later. For systems that cannot update immediately, a workaround is to avoid capturing DCCP traffic or to apply the commit that fixes the issue [2]. The issue is also addressed in Apple's macOS security updates (Catalina 10.15.2, Mojave Secure Update 2019-002, High Sierra Security Update 2019-007) which include the patched tcpdump [1].