CVE-2018-16229 – This vulnerability in tcpdump's DCCP parser all... (How to Fix)

Q: What is the severity of CVE-2018-16229?

CVE-2018-16229 has a CVSS score of 7.5 (HIGH). This vulnerability in tcpdump's DCCP parser allows attackers to cause a buffer over-read when processing malicious network packets. Systems running vulnerable versions of tcpdump that process DCCP traffic are affected, potentially leading to information disclosure or denial of service.

📋 TL;DR

This vulnerability in tcpdump's DCCP parser allows attackers to cause a buffer over-read when processing malicious network packets. Systems running vulnerable versions of tcpdump that process DCCP traffic are affected, potentially leading to information disclosure or denial of service.

💻 Affected Systems

Products:

tcpdump

Versions: All versions before 4.9.3

Operating Systems: Linux, Unix-like systems, BSD variants, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when processing DCCP (Datagram Congestion Control Protocol) packets. Systems not using DCCP or not running tcpdump are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, or sensitive memory disclosure revealing credentials or other confidential data.

🟠

Likely Case

Application crash (denial of service) or limited information disclosure from adjacent memory locations.

🟢

If Mitigated

Minimal impact if tcpdump runs with limited privileges and doesn't process untrusted DCCP traffic.

🌐 Internet-Facing: MEDIUM - tcpdump is often used for network analysis but typically not directly internet-facing; risk exists if processing untrusted traffic.

🏢 Internal Only: MEDIUM - internal systems using tcpdump for packet analysis could be vulnerable to malicious internal traffic.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted DCCP packets to a system where tcpdump is running and processing those packets. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: tcpdump 4.9.3 and later

Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES

Restart Required: No

Instructions:

1. Update tcpdump using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install tcpdump. 3. For RHEL/CentOS: sudo yum update tcpdump. 4. For source installation: download latest from https://www.tcpdump.org and compile.

🔧 Temporary Workarounds

Disable DCCP processing

all

Configure tcpdump to skip DCCP packets using BPF filters

tcpdump not dccp

Run with reduced privileges

linux

Run tcpdump with non-root user or capabilities to limit impact

sudo -u nobody tcpdump

🧯 If You Can't Patch

Restrict tcpdump usage to trusted networks only
Implement network segmentation to prevent untrusted DCCP traffic from reaching systems running tcpdump

🔍 How to Verify

Check if Vulnerable:

Run: tcpdump --version | head -1. If version is earlier than 4.9.3, system is vulnerable.

Check Version:

tcpdump --version | head -1

Verify Fix Applied:

Run: tcpdump --version | head -1. Confirm version is 4.9.3 or later.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from tcpdump process
Unexpected termination of tcpdump with error codes

Network Indicators:

Unusual DCCP traffic patterns
Malformed DCCP packets targeting systems known to run tcpdump

SIEM Query:

process_name:"tcpdump" AND (event_type:"crash" OR exit_code:139 OR exit_code:11)

📊 Metadata

CVE ID: CVE-2018-16229

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: October 3, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/211124b972e74f0da66bc8b16f181f78793e2f66 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/26 Mailing List,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES Release Notes,Third Party Advisory
https://github.com/the-tcpdump-group/tcpdump/commit/211124b972e74f0da66bc8b16f181f78793e2f66 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
https://seclists.org/bugtraq/2019/Dec/23 Mailing List,Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/28 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20200120-0001/
https://support.apple.com/kb/HT210788 Third Party Advisory
https://usn.ubuntu.com/4252-1/
https://usn.ubuntu.com/4252-2/
https://www.debian.org/security/2019/dsa-4547 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16229, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Mac Os X by Apple

Tcpdump by Tcpdump

Tcpdump by Tcpdump

Traffix Signaling Delivery Controller by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable DCCP processing

Run with reduced privileges

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities