CVE-2007-3798
published 2007-07-16CVE-2007-3798: Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
70.39%
99.3th percentile
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | >= 10.0.0 < 10.4.11 | 10.4.11 |
| apple | mac_os_x_server | >= 10.0.0 < 10.4.11 | 10.4.11 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | tcpdump | < tcpdump 3.9.5-3 (bookworm) | tcpdump 3.9.5-3 (bookworm) |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | >= 5.0 < 5.5 | 5.5 |
| freebsd | freebsd | >= 6.0 < 6.1 | 6.1 |
| slackware | slackware | — | — |
| slackware | slackware | — | — |
| slackware | slackware | — | — |
| slackware | slackware | — | — |
| slackware | slackware | — | — |
| slackware | slackware | — | — |
| slackware | slackware | — | — |
| tcpdump | tcpdump | <= 3.9.6 | — |
| tcpdump | tcpdump | >= 0 < 3.9.5-3 | 3.9.5-3 |
| tcpdump | tcpdump | >= 0 < 3.9.5-3 | 3.9.5-3 |
| tcpdump | tcpdump | >= 0 < 3.9.5-3 | 3.9.5-3 |
| tcpdump | tcpdump | >= 0 < 3.9.5-3 | 3.9.5-3 |
Detection & IOCsextracted from sources · hover to see the quote
commandsendto() crafted BGP UPDATE packet with BGPTYPE_MP_REACH_NLRI (type 14), AFNUM_L2VPN (196), SAFNUM_VPNUNICAST (128), tlen=0xFFFF, marker=0xFF*15, type=0x01, len=0x02↗
bytes↗
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF (16-byte BGP marker) followed by 02 00 02 00 00 00 FF 00 0E FF
- →Monitor for crafted BGP packets on TCP port 179 containing MP_REACH_NLRI (type 14) attributes with AFNUM_L2VPN (0xC4/196) and SAFNUM_VPNUNICAST (0x80/128) that trigger integer overflow in tcpdump's BGP dissector (print-bgp.c). Oversized attr length (0xFF) combined with tlen fields of 0xFFFF are characteristic of exploitation. ↗
- →The vulnerability is a stack-based buffer overflow triggered by an unchecked return value in the BGP dissector (print-bgp.c). Detection should focus on tcpdump process crashes or unexpected termination when processing BGP traffic, which may indicate failed exploitation attempts. ↗
- →Affected versions are tcpdump 3.9.6 and earlier. Verify installed version; any tcpdump <= 3.9.6 processing live BGP traffic is at risk. The exploit targets the decode_labeled_vpn_l2 code path within the MP_REACH_NLRI attribute handler. ↗
- ·tcpdump requires elevated privileges to open live network interfaces, limiting the attack surface to systems where tcpdump is actively run against live BGP traffic by a privileged user. ↗
- ·Red Hat Enterprise Linux 2.1 and 3 ship versions of tcpdump not affected by this issue; detection rules targeting RHEL should account for this. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg3g-c98g-38cg: Integer overflow in print-bgp
ghsa_unreviewed·2022-05-01
CVE-2007-3798 [MEDIUM] CWE-252 GHSA-cg3g-c98g-38cg: Integer overflow in print-bgp
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
OSV
CVE-2007-3798: Integer overflow in print-bgp
osv·2007-07-16·CVSS 9.8
CVE-2007-3798 [CRITICAL] CVE-2007-3798: Integer overflow in print-bgp
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
BSD
FreeBSD-SA-07:06.tcpdump: Buffer overflow in tcpdump(1)
bsd_advisories·2007-08-01·CVSS 9.8
CVE-2007-3798 [CRITICAL] FreeBSD-SA-07:06.tcpdump: Buffer overflow in tcpdump(1)
FreeBSD-SA-07:06.tcpdump Security Advisory
The FreeBSD Project
Topic: Buffer overflow in tcpdump(1)
Category: contrib
Module: tcpdump
Announced: 2007-08-01
Credits: "mu-b"
Affects: All supported versions of FreeBSD
Corrected: 2007-08-01 20:42:48 UTC (RELENG_6, 6.2-STABLE)
2007-08-01 20:44:58 UTC (RELENG_6_2, 6.2-RELEASE-p7)
2007-08-01 20:45:49 UTC (RELENG_6_1, 6.1-RELEASE-p19)
2007-08-01 20:47:13 UTC (RELENG_5, 5.5-STABLE)
2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15)
CVE Name: CVE-2007-3798
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Tcpdump is a commonly used network diagnostic utility which decodes packets
received on the wire into human
Ubuntu
tcpdump vulnerability
vendor_ubuntu·2007-07-31
CVE-2007-3798 tcpdump vulnerability
Title: tcpdump vulnerability
Summary: tcpdump vulnerability
A flaw was discovered in the BGP dissector of tcpdump. Remote
attackers could send specially crafted packets and execute arbitrary
code with user privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
tcpdump BGP integer overflow
vendor_redhat·2007-07-10·CVSS 9.8
CVE-2007-3798 [CRITICAL] CWE-190 tcpdump BGP integer overflow
tcpdump BGP integer overflow
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
Statement: This issue does not affect the version of tcpdump shipped in Red Hat Enterprise Linux 2.1 or 3.
Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=250275
The Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: https://access.redhat.com/security/updates/classification/
Debian
CVE-2007-3798: tcpdump - Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlie...
vendor_debian·2007·CVSS 9.8
CVE-2007-3798 [CRITICAL] CVE-2007-3798: tcpdump - Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlie...
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.
Scope: local
bookworm: resolved (fixed in 3.9.5-3)
bullseye: resolved (fixed in 3.9.5-3)
forky: resolved (fixed in 3.9.5-3)
sid: resolved (fixed in 3.9.5-3)
trixie: resolved (fixed in 3.9.5-3)
No detection rules found.
Bugzilla
CVE-2007-3798 tcpdump BGP integer overflow [FC6]
bugzilla·2007-07-31·CVSS 9.8
CVE-2007-3798 [CRITICAL] CVE-2007-3798 tcpdump BGP integer overflow [FC6]
CVE-2007-3798 tcpdump BGP integer overflow [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Fixed in tcpdump-3.9.4-11.fc6.
Bugzilla
CVE-2007-3798 tcpdump BGP integer overflow
bugzilla·2007-07-31·CVSS 9.8
CVE-2007-3798 [CRITICAL] CVE-2007-3798 tcpdump BGP integer overflow
CVE-2007-3798 tcpdump BGP integer overflow
An integer overflow flaw was found in tcpdump's BGP protocol dissector. This
could potentially allow an attacker to execute arbitrary code as the user
running tcpdump.
The upstream patch is here:
http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12
The Gentoo bug has more information
http://bugs.gentoo.org/show_bug.cgi?id=184815
Discussion:
This flaw does not affect the version of tcpdump shipped in Red Hat Enterprise
Linux 2.1 or 3.
---
This issue was addressed in:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2007-0368.html
http://rhn.redhat.com/errata/RHSA-2007-0387.html
Fedora:
https://admin.fedoraproject.org/updates/F7/FEDORA-2007-1361
Bugzilla
CVE-2007-3798 tcpdump BGP integer overflow [Fdevel]
bugzilla·2007-07-31·CVSS 9.8
CVE-2007-3798 [CRITICAL] CVE-2007-3798 tcpdump BGP integer overflow [Fdevel]
CVE-2007-3798 tcpdump BGP integer overflow [Fdevel]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Fixed in tcpdump-3.9.7-1.fc8.
Bugzilla
CVE-2007-3798 tcpdump BGP integer overflow [F7]
bugzilla·2007-07-31·CVSS 9.8
CVE-2007-3798 [CRITICAL] CVE-2007-3798 tcpdump BGP integer overflow [F7]
CVE-2007-3798 tcpdump BGP integer overflow [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Fixed in tcpdump-3.9.7-1.fc7.
CWE
Unchecked Return Value
mitre_cwe
CWE-252 Unchecked Return Value
CWE-252: Unchecked Return Value
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the product is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges.
Background: Many functions will return some val
CWE
Improper Check for Unusual or Exceptional Conditions
mitre_cwe
CWE-754 Improper Check for Unusual or Exceptional Conditions
CWE-754: Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
The programmer may assume that certain events or conditions will never occur or do not need to be worried about, such as low memory conditions, lack of access to resources due to restrictive permissions, or misbehaving clients or components. However, attackers may intentionally trigger these unusual conditions, thus violating the programmer's assumptions, possibly introducing instability, incorrect behavior, or a vulnerability. Note that this entry is not exclusively about the use of exceptions and exception handling, which are mechanisms for both checking
http://bugs.gentoo.org/show_bug.cgi?id=184815http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12http://docs.info.apple.com/article.html?artnum=307179http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.htmlhttp://secunia.com/advisories/26135http://secunia.com/advisories/26168http://secunia.com/advisories/26223http://secunia.com/advisories/26231http://secunia.com/advisories/26263http://secunia.com/advisories/26266http://secunia.com/advisories/26286http://secunia.com/advisories/26395http://secunia.com/advisories/26404http://secunia.com/advisories/26521http://secunia.com/advisories/27580http://secunia.com/advisories/28136http://security.freebsd.org/advisories/FreeBSD-SA-07:06.tcpdump.aschttp://security.gentoo.org/glsa/glsa-200707-14.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.449313http://www.debian.org/security/2007/dsa-1353http://www.digit-labs.org/files/exploits/private/tcpdump-bgp.chttp://www.mandriva.com/security/advisories?name=MDKSA-2007:148http://www.novell.com/linux/security/advisories/2007_16_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0368.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0387.htmlhttp://www.securityfocus.com/archive/1/474225/100/0/threadedhttp://www.securityfocus.com/bid/24965http://www.securitytracker.com/id?1018434http://www.trustix.org/errata/2007/0023/http://www.turbolinux.com/security/2007/TLSA-2007-46.txthttp://www.ubuntu.com/usn/usn-492-1http://www.us-cert.gov/cas/techalerts/TA07-352A.htmlhttp://www.vupen.com/english/advisories/2007/2578http://www.vupen.com/english/advisories/2007/4238https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9771http://bugs.gentoo.org/show_bug.cgi?id=184815http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12http://docs.info.apple.com/article.html?artnum=307179http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.htmlhttp://secunia.com/advisories/26135http://secunia.com/advisories/26168http://secunia.com/advisories/26223http://secunia.com/advisories/26231http://secunia.com/advisories/26263http://secunia.com/advisories/26266http://secunia.com/advisories/26286http://secunia.com/advisories/26395http://secunia.com/advisories/26404http://secunia.com/advisories/26521http://secunia.com/advisories/27580http://secunia.com/advisories/28136http://security.freebsd.org/advisories/FreeBSD-SA-07:06.tcpdump.aschttp://security.gentoo.org/glsa/glsa-200707-14.xmlhttp://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.449313http://www.debian.org/security/2007/dsa-1353http://www.digit-labs.org/files/exploits/private/tcpdump-bgp.chttp://www.mandriva.com/security/advisories?name=MDKSA-2007:148http://www.novell.com/linux/security/advisories/2007_16_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0368.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0387.htmlhttp://www.securityfocus.com/archive/1/474225/100/0/threadedhttp://www.securityfocus.com/bid/24965http://www.securitytracker.com/id?1018434http://www.trustix.org/errata/2007/0023/http://www.turbolinux.com/security/2007/TLSA-2007-46.txthttp://www.ubuntu.com/usn/usn-492-1http://www.us-cert.gov/cas/techalerts/TA07-352A.htmlhttp://www.vupen.com/english/advisories/2007/2578http://www.vupen.com/english/advisories/2007/4238https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9771
2007-07-16
Published