CVE-2018-14881 – This vulnerability is a buffer over-read in tcp... (How to Fix)

📋 TL;DR

This vulnerability is a buffer over-read in tcpdump's BGP parser that allows attackers to cause denial of service or potentially leak memory contents. It affects systems running vulnerable versions of tcpdump that process BGP network traffic. Network administrators and security analysts using tcpdump for packet analysis are primarily affected.

💻 Affected Systems

Products:

tcpdump

Versions: All versions before 4.9.3

Operating Systems: Linux, Unix, BSD, macOS, Windows (via ports)

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when tcpdump is used to capture or analyze BGP network traffic. Systems not processing BGP packets are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this is unlikely given the nature of buffer over-read vulnerabilities.

🟠

Likely Case

Application crash (denial of service) or information disclosure through memory content leakage when processing malicious BGP packets.

🟢

If Mitigated

Minimal impact if tcpdump is not used to analyze BGP traffic or if proper network segmentation prevents malicious BGP packets from reaching vulnerable systems.

🌐 Internet-Facing: MEDIUM - tcpdump is often used on systems that analyze network traffic, but exploitation requires sending specially crafted BGP packets to vulnerable systems.

🏢 Internal Only: MEDIUM - Internal systems running vulnerable tcpdump versions that process BGP traffic could be affected by malicious internal actors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted BGP packets to a network interface being monitored by vulnerable tcpdump. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.3 and later

Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES

Restart Required: No

Instructions:

1. Check current tcpdump version: tcpdump --version
2. Update using system package manager: sudo apt update && sudo apt upgrade tcpdump (Debian/Ubuntu) or sudo yum update tcpdump (RHEL/CentOS)
3. Alternatively, download and compile from source: git clone https://github.com/the-tcpdump-group/tcpdump.git && cd tcpdump && ./configure && make && sudo make install

🔧 Temporary Workarounds

Disable BGP packet processing

all

Use tcpdump filters to exclude BGP traffic from analysis

tcpdump not port 179
tcpdump not proto bgp

Restrict tcpdump usage

linux

Limit tcpdump execution to trusted users and monitor for unauthorized use

sudo chmod 750 /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

🧯 If You Can't Patch

Implement network segmentation to prevent untrusted BGP traffic from reaching systems running vulnerable tcpdump
Use alternative packet analysis tools that are not vulnerable, such as Wireshark with updated dissectors

🔍 How to Verify

Check if Vulnerable:

Run: tcpdump --version | head -1 | grep -q 'version 4\.[0-8]\|version 4\.9\.[0-2]' && echo 'VULNERABLE' || echo 'SAFE'

Check Version:

tcpdump --version | head -1

Verify Fix Applied:

Run: tcpdump --version | head -1 | grep -q 'version 4\.9\.[3-9]\|version 4\.[1-9][0-9]' && echo 'PATCHED' || echo 'STILL VULNERABLE'

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from tcpdump process
Unexpected termination of tcpdump sessions

Network Indicators:

Malformed BGP packets with crafted capabilities
BGP packets triggering abnormal tcpdump behavior

SIEM Query:

process_name:tcpdump AND (event_type:crash OR exit_code:139 OR signal:SIGSEGV)

📊 Metadata

CVE ID: CVE-2018-14881

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: October 3, 2019

Last Updated: December 3, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/86326e880d31b328a151d45348c35220baa9a1ff Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/86326e880d31b328a151d45348c35220baa9a1ff Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-14881, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Mac Os X by Apple

Tcpdump by Tcpdump

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable BGP packet processing

Restrict tcpdump usage

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities