CVE-2018-19519

Vulnerability

A stack-based buffer over-read vulnerability exists in the print_prefix function of print-hncp.c in tcpdump 4.9.2. The function allocates a local buffer buf but does not initialize it. When processing specially crafted HNCP packets, execution enters an else branch that calls decode_prefix6, which may return -1 without writing to buf. The subsequent ND_PRINT("%s", buf) then reads beyond the buffer until a null byte, causing a buffer over-read. This issue is triggered by packets where the prefix field is 0xff, as documented in [3].

Exploitation

An attacker can cause a stack-based buffer over-read by sending a crafted HNCP packet (e.g., via a pcap file) to tcpdump. No prior authentication is required. The attacker must trick the victim into running tcpdump with the malicious packet, for example using tcpdump -r crafted.pcap. The specific conditions include a prefix value of 0xff and max_length satisfying the if-condition, leading to the vulnerable code path. The over-read occurs because buf remains uninitialized when decode_prefix6 returns -1 [3].

Impact

Successful exploitation can lead to a denial of service (crash) due to reading beyond the buffer boundary. In some cases, it may result in information disclosure (leaking stack memory) or potential arbitrary code execution, as noted in [2] where tcpdump crashes or possibly executes arbitrary code. The vulnerability has a CVSS base score based on the description (though not explicitly provided in the references).

Mitigation

The vulnerability is fixed in tcpdump version 4.9.3. Red Hat issued RHSA-2019:3976 [1] and Ubuntu released USN-4252-1 [2] which include the fix. Fedora updates are also available [4]. As a workaround, users can initialize buf[0] = '\0' in the source code as suggested in [3] before recompiling. Upgrading to tcpdump 4.9.3 or later is the recommended mitigation.