Login Sign Up

CVE-2022-27940

7.8 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

CVE-2022-27940 is a heap-based buffer over-read vulnerability in tcprewrite component of Tcpreplay 4.4.1. This allows attackers to read sensitive memory contents, potentially leading to information disclosure or crash of the application. Users running Tcpreplay 4.4.1 with tcprewrite are affected.

💻 Affected Systems

Products:
  • Tcpreplay
Versions: 4.4.1 specifically
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects tcprewrite component when processing IPv6 packets

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Tcpreplay by Broadcom

View all CVEs affecting Tcpreplay →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through memory corruption leading to complete system compromise

🟠

Likely Case

Application crash (denial of service) or information disclosure from memory contents

🟢

If Mitigated

Limited impact if tcprewrite is not processing untrusted input files

🌐 Internet-Facing: LOW - tcprewrite typically processes local packet capture files
🏢 Internal Only: MEDIUM - Could be exploited by malicious internal users feeding crafted pcap files

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires feeding malicious pcap files to tcprewrite

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.2 and later

Vendor Advisory: https://github.com/appneta/tcpreplay/issues/718

Restart Required: No

Instructions:

1. Upgrade Tcpreplay to version 4.4.2 or later
2. Recompile if using source distribution
3. Verify installation with tcpreplay --version

🔧 Temporary Workarounds

Avoid processing untrusted pcap files

all

Only use tcprewrite with trusted packet capture files

Disable IPv6 processing

linux

Filter out IPv6 packets before processing with tcprewrite

tcpdump -r input.pcap 'not ip6' -w filtered.pcap

🧯 If You Can't Patch

  • Restrict tcprewrite usage to trusted users only
  • Implement file integrity monitoring on pcap files processed by tcprewrite

🔍 How to Verify

Check if Vulnerable:

Run: tcprewrite --version | grep -q '4.4.1' && echo 'VULNERABLE'

Check Version:

tcprewrite --version

Verify Fix Applied:

Run: tcprewrite --version | grep -q '4.4.2\|4.4.3\|4.5' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or crash logs from tcprewrite
  • Unexpected memory access errors

Network Indicators:

  • Unusual pcap file transfers to systems running tcprewrite

SIEM Query:

process_name:tcprewrite AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2022-27940
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: March 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27940, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)