CVE-2018-18407

Vulnerability

A heap-based buffer over-read was discovered in the tcpreplay-edit binary of Tcpreplay version 4.3.0 beta1. The issue is triggered in the function csum_replace4() located in incremental_checksum.h, which is invoked by ipv4_l34_csum_replace() in edit_packet.c during incremental checksum operations [1][2]. The over-read occurs when the function attempts to read a __sum16 value from an invalid memory location, as demonstrated by an AddressSanitizer report showing a read of size 2 at an out-of-bounds address [2]. The affected version is the 4.3 branch, specifically the beta1 release [1][2].

Exploitation

An attacker can trigger the vulnerability by providing a crafted packet capture (PCAP) file to tcpreplay-edit with specific options. For example, the command tcpreplay-edit --portmap=80:8000 --seed=10 --cachefile=example.cache --intf1=eno1 --intf2=eno3 --decode=some --preload-pcap --verbose $POC leads to the crash [2]. No special network position or authentication is required; the attacker only needs to supply a malicious PCAP file that causes the heap-based over-read during the checksum update process [1][2].

Impact

Successful exploitation causes a denial of service (DoS) due to the heap-buffer over-read, which may crash the tcpreplay-edit application. The vulnerability is a read operation, so it could also potentially lead to information exposure if an attacker can observe the out-of-bounds read data [1]. The impact is limited to application availability and potential information leakage; it does not provide code execution or privilege escalation [1][2].

Mitigation

As of the available references, no fixed version of Tcpreplay has been released to address CVE-2018-18407. Users are advised to monitor the official Tcpreplay repository for updates and to avoid processing untrusted PCAP files with the affected tcpreplay-edit binary as a workaround [1][2]. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.