Login Sign Up

CVE-2018-10103

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability in tcpdump allows remote attackers to execute arbitrary code or cause denial of service via specially crafted SMB packets. It affects systems running vulnerable versions of tcpdump that process SMB network traffic.

💻 Affected Systems

Products:
  • tcpdump
Versions: All versions before 4.9.3
Operating Systems: Linux, Unix-like systems, Windows (via ports)
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when tcpdump processes SMB protocol traffic.

📦 What is this software?

Tcpdump by Tcpdump

View all CVEs affecting Tcpdump →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise.

🟠

Likely Case

Denial of service through tcpdump crash when processing malicious SMB traffic.

🟢

If Mitigated

Limited impact if tcpdump runs with reduced privileges or network exposure is restricted.

🌐 Internet-Facing: MEDIUM - tcpdump typically runs locally but could be exposed via monitoring interfaces.
🏢 Internal Only: MEDIUM - internal attackers could exploit if tcpdump processes their traffic.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious SMB packets to a network interface being monitored by tcpdump.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.3 and later

Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES

Restart Required: No

Instructions:

1. Update tcpdump using your package manager: 'sudo apt update && sudo apt upgrade tcpdump' (Debian/Ubuntu) or 'sudo yum update tcpdump' (RHEL/CentOS). 2. Verify installation with 'tcpdump --version'.

🔧 Temporary Workarounds

Disable SMB protocol parsing

all

Prevent tcpdump from processing SMB traffic using BPF filters

tcpdump not port 445 and not port 139

Run tcpdump with reduced privileges

linux

Execute tcpdump as non-root user to limit impact

sudo -u nobody tcpdump [options]

🧯 If You Can't Patch

  • Restrict tcpdump to trusted network segments only
  • Implement network segmentation to isolate SMB traffic from monitoring systems

🔍 How to Verify

Check if Vulnerable:

Run 'tcpdump --version' and check if version is below 4.9.3

Check Version:

tcpdump --version | head -1

Verify Fix Applied:

Confirm version is 4.9.3 or higher with 'tcpdump --version | head -1'

📡 Detection & Monitoring

Log Indicators:

  • tcpdump segmentation faults or abnormal termination
  • Core dumps from tcpdump process

Network Indicators:

  • Unusual SMB traffic patterns to monitoring interfaces
  • Malformed SMB packets

SIEM Query:

process_name:"tcpdump" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2018-10103
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: October 3, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-10103, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)