CVE-2018-14879 – CVE-2018-14879 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2018-14879?

CVE-2018-14879 has a CVSS score of 7.0 (HIGH). CVE-2018-14879 is a buffer overflow vulnerability in tcpdump's command-line argument parser that allows attackers to execute arbitrary code or cause denial of service. This affects systems running tcpdump versions before 4.9.3. Anyone using vulnerable tcpdump versions to analyze network traffic could be impacted.

📋 TL;DR

CVE-2018-14879 is a buffer overflow vulnerability in tcpdump's command-line argument parser that allows attackers to execute arbitrary code or cause denial of service. This affects systems running tcpdump versions before 4.9.3. Anyone using vulnerable tcpdump versions to analyze network traffic could be impacted.

💻 Affected Systems

Products:

tcpdump

Versions: All versions before 4.9.3

Operating Systems: Linux, Unix-like systems, BSD variants

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the command-line argument parser, so any use of tcpdump with file arguments could trigger it.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the tcpdump process, potentially leading to full system compromise.

🟠

Likely Case

Denial of service through application crash when processing malicious command-line arguments.

🟢

If Mitigated

Limited impact if tcpdump runs with minimal privileges and proper input validation is in place.

🌐 Internet-Facing: MEDIUM - tcpdump is typically used internally but could be exposed through web interfaces or automated tools.

🏢 Internal Only: MEDIUM - internal attackers or compromised systems could exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to control tcpdump command-line arguments, typically requiring some level of access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.3 and later

Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES

Restart Required: No

Instructions:

1. Update tcpdump using your distribution's package manager. 2. For source installations: download tcpdump 4.9.3+ from the-tcpdump-group/tcpdump GitHub repository. 3. Compile and install the updated version.

🔧 Temporary Workarounds

Restrict tcpdump usage

linux

Limit who can run tcpdump and control command-line arguments

sudo chmod 750 /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Use alternative tools

linux

Replace tcpdump with alternative packet analyzers like Wireshark (tshark) or tcpflow

sudo apt-get install wireshark-tshark
sudo yum install wireshark

🧯 If You Can't Patch

Run tcpdump with minimal privileges using capabilities or SELinux/AppArmor restrictions
Implement strict input validation for any scripts or tools that invoke tcpdump with user-supplied arguments

🔍 How to Verify

Check if Vulnerable:

Run: tcpdump --version | head -1 | grep -q 'tcpdump version 4\.9\.[0-2]\|tcpdump version 4\.[0-8]\|tcpdump version [0-3]' && echo 'VULNERABLE' || echo 'SAFE'

Check Version:

tcpdump --version | head -1

Verify Fix Applied:

Run: tcpdump --version | head -1 | grep -q 'tcpdump version 4\.9\.[3-9]\|tcpdump version [5-9]\|tcpdump version 1[0-9]' && echo 'PATCHED' || echo 'STILL VULNERABLE'

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from tcpdump process
Unusual command-line arguments passed to tcpdump

Network Indicators:

Unexpected network traffic from systems running tcpdump

SIEM Query:

process_name:tcpdump AND (event_type:crash OR cmdline:*\"* OR cmdline:*'*)

📊 Metadata

CVE ID: CVE-2018-14879

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: October 3, 2019

Last Updated: December 3, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/9ba91381954ad325ea4fd26b9c65a8bd9a2a85b6 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://support.f5.com/csp/article/K51512510?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/9ba91381954ad325ea4fd26b9c65a8bd9a2a85b6 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://support.f5.com/csp/article/K51512510?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-14879, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Mac Os X by Apple

Tcpdump by Tcpdump

Traffix Signaling Delivery Controller by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict tcpdump usage

Use alternative tools

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities