CVE-2022-28487
📋 TL;DR
CVE-2022-28487 is a memory leak vulnerability in Tcpreplay 4.4.1's fix_ipv6_checksums() function that can lead to resource exhaustion and potential data confidentiality impacts. This affects systems running vulnerable versions of Tcpreplay, particularly those processing IPv6 network traffic. The vulnerability allows attackers to gradually degrade system performance and potentially access sensitive information.
💻 Affected Systems
- Tcpreplay
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Tcpreplay by Broadcom
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could cause complete system resource exhaustion leading to denial of service, memory corruption, and potential data leakage from adjacent memory regions.
Likely Case
Gradual memory consumption leading to performance degradation and eventual application crashes during prolonged IPv6 packet processing sessions.
If Mitigated
Minimal impact with proper monitoring and resource limits, though memory usage would still be higher than normal during IPv6 traffic processing.
🎯 Exploit Status
Exploitation requires feeding IPv6 packets to Tcpreplay. No public exploit code has been identified, but the vulnerability is straightforward to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.4.2 and later
Vendor Advisory: https://github.com/appneta/tcpreplay/issues/723
Restart Required: Yes
Instructions:
1. Stop all Tcpreplay processes. 2. Update to Tcpreplay 4.4.2 or later using your package manager (apt-get upgrade tcpreplay, yum update tcpreplay, etc.). 3. Restart any Tcpreplay services or processes.
🔧 Temporary Workarounds
Disable IPv6 processing
linuxAvoid using Tcpreplay with IPv6 packets to prevent triggering the vulnerable code path
tcpreplay --disable-ipv6 [other options]
Resource limiting
linuxLimit memory usage of Tcpreplay processes to contain potential memory exhaustion
ulimit -v 1048576
systemctl set-property tcpreplay.service MemoryMax=1G
🧯 If You Can't Patch
- Monitor memory usage of Tcpreplay processes and restart if memory consumption grows abnormally
- Avoid processing untrusted IPv6 packet captures with Tcpreplay
🔍 How to Verify
Check if Vulnerable:
Check Tcpreplay version: tcpreplay --version | grep 'tcpreplay version'Check Version:
tcpreplay --versionVerify Fix Applied:
Verify version is 4.4.2 or higher: tcpreplay --version | grep -E '4\.4\.([2-9]|[1-9][0-9])'📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption patterns in system logs
- Tcpreplay process crashes or restarts
- High memory usage alerts from monitoring systems
Network Indicators:
- Unusual volume of IPv6 traffic to systems running Tcpreplay
- Repeated IPv6 packet processing sessions
SIEM Query:
process_name:"tcpreplay" AND (memory_usage > 90% OR process_restart_count > 3)🔗 References
- https://github.com/appneta/tcpreplay/issues/723
- https://github.com/appneta/tcpreplay/pull/720
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5B75AFRJUGOYHCFG2ZV2JKSUPA6MSCT5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECRCFJ6X3IVB7BT4KS6AHQMSL532YXYD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWRZO7BG6DHA5NAC3COB45WFXLYRIERC/
- https://security.gentoo.org/glsa/202210-08
- https://github.com/appneta/tcpreplay/issues/723
- https://github.com/appneta/tcpreplay/pull/720
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5B75AFRJUGOYHCFG2ZV2JKSUPA6MSCT5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECRCFJ6X3IVB7BT4KS6AHQMSL532YXYD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWRZO7BG6DHA5NAC3COB45WFXLYRIERC/
- https://security.gentoo.org/glsa/202210-08
