CVE-2020-24265
📋 TL;DR
CVE-2020-24265 is a heap buffer overflow vulnerability in tcpreplay's tcpprep utility that allows attackers to cause denial of service through application crashes. This affects systems running vulnerable versions of tcpreplay where tcpprep processes untrusted input. The vulnerability stems from improper bounds checking in the MemcmpInterceptorCommon() function.
💻 Affected Systems
- tcpreplay
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Tcpreplay by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if heap manipulation succeeds, though this is less likely than DoS.
Likely Case
Denial of service through application crash when processing malicious packet capture files.
If Mitigated
Limited to tcpprep process termination without system-wide impact if proper privilege separation exists.
🎯 Exploit Status
Exploitation requires ability to provide malicious pcap files to tcpprep. Proof-of-concept crash demonstrations exist in the GitHub issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: tcpreplay v4.3.4 and later
Vendor Advisory: https://github.com/appneta/tcpreplay/issues/616
Restart Required: No
Instructions:
1. Update tcpreplay to version 4.3.4 or later using your package manager. 2. For Linux: Use 'sudo apt update && sudo apt upgrade tcpreplay' (Debian/Ubuntu) or 'sudo yum update tcpreplay' (RHEL/CentOS). 3. For source installation: Download latest from GitHub and compile.
🔧 Temporary Workarounds
Restrict tcpprep usage
linuxLimit tcpprep execution to trusted users and validate input files before processing.
chmod 750 /usr/bin/tcpprep
setfacl -m u:trusteduser:rx /usr/bin/tcpprep
Input validation wrapper
linuxCreate script wrapper that validates pcap files before passing to tcpprep.
#!/bin/bash
# Validate pcap with tcpdump first
if tcpdump -r "$1" -c 1 >/dev/null 2>&1; then
tcpprep "$@"
else
echo "Invalid pcap file"
exit 1
fi
🧯 If You Can't Patch
- Disable or remove tcpprep binary if not required for operations.
- Run tcpprep in isolated containers with resource limits to contain crashes.
🔍 How to Verify
Check if Vulnerable:
Run 'tcpprep --version' and check if version is 4.3.3 or earlier.Check Version:
tcpprep --version | head -1Verify Fix Applied:
Confirm version is 4.3.4 or later with 'tcpprep --version' and test with known problematic pcap files.📡 Detection & Monitoring
Log Indicators:
- Segmentation fault or crash logs from tcpprep process
- Abnormal termination of tcpprep in system logs
Network Indicators:
- None - this is local file processing vulnerability
SIEM Query:
process.name="tcpprep" AND (event.action="segmentation fault" OR event.action="crash")🔗 References
- https://github.com/appneta/tcpreplay/issues/616
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EA7K7VKDK2K3SY2DHQQYSCBGZLKPWXJ4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LC3UMBJFBK5HYUX7H2NGXVFI2I2EMAOF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M623ONZKOZL5Y7XQNHKXEPV76XYCPXQM/
- https://security.gentoo.org/glsa/202105-21
- https://github.com/appneta/tcpreplay/issues/616
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EA7K7VKDK2K3SY2DHQQYSCBGZLKPWXJ4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LC3UMBJFBK5HYUX7H2NGXVFI2I2EMAOF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M623ONZKOZL5Y7XQNHKXEPV76XYCPXQM/
- https://security.gentoo.org/glsa/202105-21
