CVE-2019-8381

Vulnerability

An invalid memory access vulnerability exists in the do_checksum function in checksum.c of Tcpreplay version 4.3.1 [1]. The issue can be triggered by supplying a specially crafted pcap file to the tcpreplay-edit binary [1]. When tcpreplay-edit processes the malicious pcap, the do_checksum() function attempts to read from an invalid memory address, leading to a segmentation fault [1][2].

Exploitation

An attacker needs to craft a pcap file that causes the invalid memory access. The file must be processed by the tcpreplay-edit binary with certain command-line options (e.g., -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC) [1]. No authentication or special network position is required beyond the ability to run the binary on the victim system [1]. The exploit triggers a read from an invalid pointer, as shown in the debugger where rip is at do_checksum+524 and the fault occurs on a movzx instruction reading from memory at [rax+0x6] with rax containing an invalid address [1].

Impact

Successful exploitation results in a denial of service via segmentation fault, crashing the tcpreplay-edit process [1][2]. The description and reference also mention possible unspecified other impact, but no concrete other impact is demonstrated or described in the available references [1][2]. The crash occurs in user space and does not persist after the process is terminated.

Mitigation

No official patched release has been identified in the available references. The vulnerability was reported in February 2019, and the issue tracker on GitHub ([1]) shows the report but does not indicate a fix. Fedora package advisories ([3], [4]) were inaccessible due to bot protection, and thus no fix or workaround from those sources can be confirmed. Users should monitor the Tcpreplay project for updates and consider avoiding processing untrusted pcap files with tcpreplay-edit until a fix is available.