CVE-2018-16451
📋 TL;DR
This vulnerability is a buffer over-read in tcpdump's SMB parser that could allow attackers to cause denial of service or potentially leak memory contents. It affects tcpdump versions before 4.9.3 when parsing specific SMB protocol packets. Anyone using vulnerable tcpdump versions to analyze network traffic containing malicious SMB packets could be affected.
💻 Affected Systems
- tcpdump
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Tcpdump by Tcpdump
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise if combined with other vulnerabilities, though unlikely due to memory read-only nature.
Likely Case
Denial of service through application crash or memory disclosure of tcpdump process contents.
If Mitigated
Minimal impact with proper network segmentation and updated software.
🎯 Exploit Status
Exploitation requires ability to send malicious SMB packets to network interfaces being monitored by tcpdump.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.3 and later
Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES
Restart Required: No
Instructions:
1. Check current version: tcpdump --version
2. Update via package manager: sudo apt-get update && sudo apt-get install tcpdump (Debian/Ubuntu) or sudo yum update tcpdump (RHEL/CentOS)
3. Verify update: tcpdump --version should show 4.9.3 or higher
🔧 Temporary Workarounds
Disable SMB parsing
linuxRun tcpdump with SMB protocol filtering disabled
tcpdump not port 445 and not port 139
Restrict tcpdump usage
linuxLimit tcpdump execution to trusted users and networks
sudo chmod 750 /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
🧯 If You Can't Patch
- Restrict network access to prevent malicious SMB packets from reaching monitored interfaces
- Run tcpdump with reduced privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Run: tcpdump --version | grep -E '^tcpdump version' | awk '{print $3}' | grep -q -E '^[0-3]\.[0-9]|^4\.[0-8]|^4\.9\.[0-2]' && echo 'VULNERABLE' || echo 'SAFE'Check Version:
tcpdump --version | head -1Verify Fix Applied:
Check version is 4.9.3 or higher: tcpdump --version | grep -E '^tcpdump version'📡 Detection & Monitoring
Log Indicators:
- tcpdump segmentation faults or abnormal termination when monitoring SMB traffic
- System logs showing tcpdump crashes with memory access errors
Network Indicators:
- Unusual SMB traffic patterns targeting \MAILSLOT\BROWSE or \PIPE\LANMAN paths
- Malformed SMB packets on ports 445/139
SIEM Query:
process.name:"tcpdump" AND (event.action:"segmentation fault" OR event.action:"crash")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html
- http://seclists.org/fulldisclosure/2019/Dec/26
- https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES
- https://github.com/the-tcpdump-group/tcpdump/commit/96480ab95308cd9234b4f09b175ebf60e17792c6
- https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
- https://seclists.org/bugtraq/2019/Dec/23
- https://seclists.org/bugtraq/2019/Oct/28
- https://security.netapp.com/advisory/ntap-20200120-0001/
- https://support.apple.com/kb/HT210788
- https://usn.ubuntu.com/4252-1/
- https://usn.ubuntu.com/4252-2/
- https://www.debian.org/security/2019/dsa-4547
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html
- http://seclists.org/fulldisclosure/2019/Dec/26
- https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES
- https://github.com/the-tcpdump-group/tcpdump/commit/96480ab95308cd9234b4f09b175ebf60e17792c6
- https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU/
- https://seclists.org/bugtraq/2019/Dec/23
- https://seclists.org/bugtraq/2019/Oct/28
- https://security.netapp.com/advisory/ntap-20200120-0001/
- https://support.apple.com/kb/HT210788
- https://usn.ubuntu.com/4252-1/
- https://usn.ubuntu.com/4252-2/
- https://www.debian.org/security/2019/dsa-4547
