Login Sign Up

CVE-2020-8037

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2020-8037 is a memory allocation vulnerability in tcpdump's PPP decapsulator that allows attackers to trigger excessive memory consumption through specially crafted packets. This affects systems running vulnerable versions of tcpdump when processing network traffic. The vulnerability can lead to denial of service through resource exhaustion.

💻 Affected Systems

Products:
  • tcpdump
Versions: tcpdump 4.9.3 and earlier versions with vulnerable PPP decapsulator
Operating Systems: Linux, Unix-like systems, Any OS running vulnerable tcpdump
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when tcpdump processes PPP-encapsulated packets. Systems using tcpdump for network monitoring or packet analysis are most exposed.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tcpdump by Tcpdump

View all CVEs affecting Tcpdump →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or denial of service due to memory exhaustion, potentially affecting multiple services on the same host.

🟠

Likely Case

Degraded performance or temporary service interruption of tcpdump and potentially other applications due to memory pressure.

🟢

If Mitigated

Minimal impact if tcpdump runs with limited privileges and memory constraints, or if vulnerable functionality is disabled.

🌐 Internet-Facing: MEDIUM - tcpdump often runs on monitoring systems that process traffic from untrusted sources, but exploitation requires specific packet crafting.
🏢 Internal Only: LOW - Internal network traffic is typically less hostile, but risk exists if attackers gain internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted PPP packets to a system where tcpdump is running and processing traffic. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: tcpdump 4.9.4 and later

Vendor Advisory: https://github.com/the-tcpdump-group/tcpdump/commit/32027e199368dad9508965aae8cd8de5b6ab5231

Restart Required: No

Instructions:

1. Update tcpdump using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade tcpdump. 3. For RHEL/CentOS: sudo yum update tcpdump. 4. For Fedora: sudo dnf update tcpdump. 5. Verify installation with tcpdump --version.

🔧 Temporary Workarounds

Disable PPP processing

linux

Run tcpdump with filters to exclude PPP traffic

tcpdump not ppp

Limit tcpdump memory usage

linux

Use ulimit to restrict memory allocation for tcpdump processes

ulimit -v 1048576
tcpdump [options]

🧯 If You Can't Patch

  • Restrict tcpdump to trusted network segments only
  • Implement network filtering to block PPP traffic to monitoring systems

🔍 How to Verify

Check if Vulnerable:

Check tcpdump version: tcpdump --version | head -1. If version is 4.9.3 or earlier, system is vulnerable.

Check Version:

tcpdump --version | head -1

Verify Fix Applied:

After update, verify version is 4.9.4 or later: tcpdump --version | head -1

📡 Detection & Monitoring

Log Indicators:

  • System logs showing memory exhaustion
  • tcpdump process crashes
  • OOM killer activity related to tcpdump

Network Indicators:

  • Unusual PPP traffic patterns
  • High volume of PPP packets to monitoring interfaces

SIEM Query:

process_name:"tcpdump" AND (event_type:"crash" OR memory_usage:>90%)

📊 Metadata

CVE ID: CVE-2020-8037
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: November 4, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8037, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2019-17067 9.8

This vulnerability in PuTTY on Windows allows attackers to hijack incoming SSH port-forwarding conne...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)