CVE-2004-0184
published 2004-05-04CVE-2004-0184: Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with…
PriorityP434medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
60.35%
99.0th percentile
Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tcpdump | < tcpdump 3.7.2-4 (bookworm) | tcpdump 3.7.2-4 (bookworm) |
| tcpdump | tcpdump | <= 3.8.1 | — |
| tcpdump | tcpdump | >= 0 < 3.7.2-4 | 3.7.2-4 |
| tcpdump | tcpdump | >= 0 < 3.7.2-4 | 3.7.2-4 |
| tcpdump | tcpdump | >= 0 < 3.7.2-4 | 3.7.2-4 |
| tcpdump | tcpdump | >= 0 < 3.7.2-4 | 3.7.2-4 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x10\x01\x00\x00\x00\x00\x00\x00\x00\x00\x24\x00\x00\x00\x05\x20\x00\x00\x00
- →Trigger requires tcpdump verbosity level of at least 3 (-vvv); without it, no crash occurs. Monitor for tcpdump processes launched with -vvv while receiving ISAKMP traffic. ↗
- →Detect malformed ISAKMP Identification payloads over UDP/500 where the payload length field (bytes 2-3 of the ID payload) is set to a value less than 8 (e.g., 0x0005), which underflows after byte-order conversion. ↗
- →The exploit sends a single UDP datagram to port 500 (isakmp service) with a crafted ISAKMP header (Next payload=0x05, Version=0x10, total length=0x24) and an ID payload length of 0x0005. Filter for UDP/500 packets of exactly 36 bytes with these header characteristics. ↗
- ·tcpdump 3.8.3 and later are not vulnerable; ensure deployed versions are at or above this threshold. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rm38-jqfm-qmjm: Integer underflow in the isakmp_id_print for TCPDUMP 3
ghsa_unreviewed·2022-04-29
CVE-2004-0184 [MEDIUM] CWE-125 GHSA-rm38-jqfm-qmjm: Integer underflow in the isakmp_id_print for TCPDUMP 3
Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.
OSV
CVE-2004-0184: Integer underflow in the isakmp_id_print for TCPDUMP 3
osv·2004-05-04·CVSS 5.0
CVE-2004-0184 [MEDIUM] CVE-2004-0184: Integer underflow in the isakmp_id_print for TCPDUMP 3
Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.
Red Hat
security flaw
vendor_redhat·2004-03-29·CVSS 5.0
CVE-2004-0184 [MEDIUM] security flaw
security flaw
Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.
Debian
CVE-2004-0184: tcpdump - Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows re...
vendor_debian·2004·CVSS 5.0
CVE-2004-0184 [MEDIUM] CVE-2004-0184: tcpdump - Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows re...
Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.
Scope: local
bookworm: resolved (fixed in 3.7.2-4)
bullseye: resolved (fixed in 3.7.2-4)
forky: resolved (fixed in 3.7.2-4)
sid: resolved (fixed in 3.7.2-4)
trixie: resolved (fixed in 3.7.2-4)
No detection rules found.
http://marc.info/?l=bugtraq&m=108067265931525&w=2http://secunia.com/advisories/11258http://securitytracker.com/id?1009593http://www.debian.org/security/2004/dsa-478http://www.kb.cert.org/vuls/id/492558http://www.rapid7.com/advisories/R7-0017.htmlhttp://www.redhat.com/support/errata/RHSA-2004-219.htmlhttp://www.securityfocus.com/bid/10004http://www.tcpdump.org/tcpdump-changes.txthttp://www.trustix.org/errata/2004/0015https://bugzilla.fedora.us/show_bug.cgi?id=1468https://exchange.xforce.ibmcloud.com/vulnerabilities/15679https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9581https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A976http://marc.info/?l=bugtraq&m=108067265931525&w=2http://secunia.com/advisories/11258http://securitytracker.com/id?1009593http://www.debian.org/security/2004/dsa-478http://www.kb.cert.org/vuls/id/492558http://www.rapid7.com/advisories/R7-0017.htmlhttp://www.redhat.com/support/errata/RHSA-2004-219.htmlhttp://www.securityfocus.com/bid/10004http://www.tcpdump.org/tcpdump-changes.txthttp://www.trustix.org/errata/2004/0015https://bugzilla.fedora.us/show_bug.cgi?id=1468https://exchange.xforce.ibmcloud.com/vulnerabilities/15679https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9581https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A976
2004-05-04
Published