cbcvebase.
CVE-2004-0184
published 2004-05-04

CVE-2004-0184: Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with…

PriorityP434medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
60.35%
99.0th percentile
Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiantcpdump< tcpdump 3.7.2-4 (bookworm)tcpdump 3.7.2-4 (bookworm)
tcpdumptcpdump<= 3.8.1
tcpdumptcpdump>= 0 < 3.7.2-43.7.2-4
tcpdumptcpdump>= 0 < 3.7.2-43.7.2-4
tcpdumptcpdump>= 0 < 3.7.2-43.7.2-4
tcpdumptcpdump>= 0 < 3.7.2-43.7.2-4

Detection & IOCsextracted from sources · hover to see the quote

port500/udp (isakmp)
versiontcpdump 3.8.1
bytes
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x10\x01\x00\x00\x00\x00\x00\x00\x00\x00\x24\x00\x00\x00\x05\x20\x00\x00\x00
  • Trigger requires tcpdump verbosity level of at least 3 (-vvv); without it, no crash occurs. Monitor for tcpdump processes launched with -vvv while receiving ISAKMP traffic.
  • Detect malformed ISAKMP Identification payloads over UDP/500 where the payload length field (bytes 2-3 of the ID payload) is set to a value less than 8 (e.g., 0x0005), which underflows after byte-order conversion.
  • The exploit sends a single UDP datagram to port 500 (isakmp service) with a crafted ISAKMP header (Next payload=0x05, Version=0x10, total length=0x24) and an ID payload length of 0x0005. Filter for UDP/500 packets of exactly 36 bytes with these header characteristics.
  • ·tcpdump 3.8.3 and later are not vulnerable; ensure deployed versions are at or above this threshold.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.