CVE-2018-14463 – CVE-2018-14463 is a buffer over-read vulnerabil... (How to Fix)

Q: What is the severity of CVE-2018-14463?

CVE-2018-14463 has a CVSS score of 7.5 (HIGH). CVE-2018-14463 is a buffer over-read vulnerability in tcpdump's VRRP parser that could allow attackers to cause denial of service or potentially leak memory contents. It affects tcpdump versions before 4.9.3 when parsing VRRP version 2 packets. Systems running vulnerable tcpdump versions that process untrusted network traffic are at risk.

📋 TL;DR

CVE-2018-14463 is a buffer over-read vulnerability in tcpdump's VRRP parser that could allow attackers to cause denial of service or potentially leak memory contents. It affects tcpdump versions before 4.9.3 when parsing VRRP version 2 packets. Systems running vulnerable tcpdump versions that process untrusted network traffic are at risk.

💻 Affected Systems

Products:

tcpdump

Versions: All versions before 4.9.3

Operating Systems: Linux, Unix-like systems, BSD variants, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when parsing VRRP version 2 packets. Systems that don't process VRRP traffic or have tcpdump restricted to trusted sources are less exposed.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or sensitive information disclosure through memory leakage, though this is unlikely given the nature of buffer over-read vulnerabilities.

🟠

Likely Case

Denial of service through application crash when processing malicious VRRP packets.

🟢

If Mitigated

Minimal impact if tcpdump is not used to analyze untrusted network traffic or if proper network segmentation is in place.

🌐 Internet-Facing: MEDIUM - tcpdump is often used on systems that analyze network traffic, but exploitation requires specific conditions and network access.

🏢 Internal Only: LOW - tcpdump is typically a diagnostic tool rather than a service, reducing attack surface in most environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted VRRP packets to a system where tcpdump is running and analyzing network traffic. The vulnerability is in the parser itself, not a network service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: tcpdump 4.9.3 and later

Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES

Restart Required: No

Instructions:

1. Update tcpdump using your distribution's package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade tcpdump' (Debian/Ubuntu) or 'sudo yum update tcpdump' (RHEL/CentOS). 3. For source installations: Download and compile tcpdump 4.9.3+ from the official repository.

🔧 Temporary Workarounds

Restrict tcpdump usage

linux

Limit tcpdump execution to trusted users and restrict network interfaces it can monitor

sudo chmod 750 /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Network filtering

linux

Block or filter VRRP traffic (protocol 112) at network boundaries

iptables -A INPUT -p 112 -j DROP
iptables -A FORWARD -p 112 -j DROP

🧯 If You Can't Patch

Remove tcpdump from production systems where it's not essential
Implement strict network segmentation to limit exposure to VRRP traffic

🔍 How to Verify

Check if Vulnerable:

Run 'tcpdump --version' and check if version is below 4.9.3

Check Version:

tcpdump --version 2>&1 | head -1

Verify Fix Applied:

After update, run 'tcpdump --version' to confirm version is 4.9.3 or higher

📡 Detection & Monitoring

Log Indicators:

tcpdump crash logs
segmentation fault errors in system logs when tcpdump runs

Network Indicators:

Unusual VRRP traffic patterns
VRRP packets with malformed headers

SIEM Query:

process_name:"tcpdump" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2018-14463

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: October 3, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/3de07c772166b7e8e8bb4b9d1d078f1d901b570b Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/3de07c772166b7e8e8bb4b9d1d078f1d901b570b Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-14463, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Mac Os X by Apple

Tcpdump by Tcpdump

Tcpdump by Tcpdump

Traffix Signaling Delivery Controller by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict tcpdump usage

Network filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities