CVE-2017-12990
📋 TL;DR
CVE-2017-12990 is a denial-of-service vulnerability in tcpdump's ISAKMP parser where specially crafted packets can trigger infinite loops, causing tcpdump to hang indefinitely. This affects systems running vulnerable versions of tcpdump when parsing ISAKMP/IKE network traffic. Network administrators and security analysts using tcpdump for packet analysis are primarily affected.
💻 Affected Systems
- tcpdump
📦 What is this software?
Tcpdump by Tcpdump
⚠️ Risk & Real-World Impact
Worst Case
Complete denial-of-service where tcpdump processes become unresponsive, potentially affecting monitoring systems, security tools, or automated scripts that rely on tcpdump output.
Likely Case
Tcpdump instances parsing malicious ISAKMP packets hang, requiring manual termination and causing temporary disruption to network monitoring or analysis activities.
If Mitigated
Limited impact with proper network segmentation and monitoring, as exploitation requires network access to send malicious packets to systems running tcpdump.
🎯 Exploit Status
Exploitation requires sending specially crafted ISAKMP packets to systems where tcpdump is running and parsing network traffic. The vulnerability details and proof-of-concept are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.2 and later
Vendor Advisory: http://www.tcpdump.org/tcpdump-changes.txt
Restart Required: No
Instructions:
1. Update tcpdump to version 4.9.2 or later using your system's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install tcpdump. 3. For RHEL/CentOS: sudo yum update tcpdump. 4. For source installation: download latest from tcpdump.org and compile.
🔧 Temporary Workarounds
Filter ISAKMP traffic
allUse BPF filters to exclude ISAKMP/IKE traffic from being parsed by tcpdump
tcpdump -i eth0 'not port 500 and not port 4500'
Limit tcpdump runtime
linuxRun tcpdump with timeout to prevent indefinite hangs
timeout 60 tcpdump -i eth0
🧯 If You Can't Patch
- Restrict network access to systems running tcpdump to trusted sources only
- Monitor tcpdump processes and implement automated restart if they become unresponsive
🔍 How to Verify
Check if Vulnerable:
Run 'tcpdump --version' and check if version is earlier than 4.9.2Check Version:
tcpdump --version 2>&1 | head -1Verify Fix Applied:
Run 'tcpdump --version' and confirm version is 4.9.2 or later📡 Detection & Monitoring
Log Indicators:
- Tcpdump processes running for unusually long times
- System logs showing tcpdump process termination due to timeout
Network Indicators:
- Unusual ISAKMP traffic patterns to monitoring systems
- Multiple ISAKMP packets with malformed structure
SIEM Query:
process_name="tcpdump" AND duration>300s🔗 References
- http://www.debian.org/security/2017/dsa-3971
- http://www.securitytracker.com/id/1039307
- http://www.tcpdump.org/tcpdump-changes.txt
- https://access.redhat.com/errata/RHEA-2018:0705
- https://github.com/the-tcpdump-group/tcpdump/commit/c2ef693866beae071a24b45c49f9674af1df4028
- https://security.gentoo.org/glsa/201709-23
- https://support.apple.com/HT208221
- http://www.debian.org/security/2017/dsa-3971
- http://www.securitytracker.com/id/1039307
- http://www.tcpdump.org/tcpdump-changes.txt
- https://access.redhat.com/errata/RHEA-2018:0705
- https://github.com/the-tcpdump-group/tcpdump/commit/c2ef693866beae071a24b45c49f9674af1df4028
- https://security.gentoo.org/glsa/201709-23
- https://support.apple.com/HT208221
