CVE-2018-16230

Vulnerability

The BGP parser in tcpdump versions before 4.9.3 contains a buffer over-read vulnerability in the bgp_attr_print() function within print-bgp.c, specifically when processing the Multi-Protocol Reach NLRI (MP_REACH_NLRI) attribute. The issue occurs because the parser does not properly validate the length of the next-hop field, allowing a crafted BGP UPDATE message to cause the parser to read beyond the allocated buffer [2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted BGP UPDATE message to a system running tcpdump that is capturing or analyzing BGP traffic. The attacker does not need authentication or special network position beyond being able to inject BGP packets into the monitored traffic. The crafted message triggers the over-read when tcpdump attempts to decode the MP_REACH_NLRI attribute with an invalid next-hop length [2].

Impact

Successful exploitation results in a buffer over-read, which may lead to information disclosure by leaking adjacent memory contents. The impact is limited to the tcpdump process; however, if tcpdump is used in automated monitoring or security analysis pipelines, the leaked data could expose sensitive information from the system's memory [2].

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3, released on 2018-09-25. Users should upgrade to tcpdump 4.9.3 or later. Apple included the fix in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra, though the Apple security advisories do not explicitly list this CVE [1][2]. No workaround is available; upgrading is the recommended action.