cbcvebase.
CVE-2007-3798
published 2007-07-16

CVE-2007-3798: Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
70.39%
99.3th percentile
Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.

Affected

25 ranges
VendorProductVersion rangeFixed in
applemac_os_x>= 10.0.0 < 10.4.1110.4.11
applemac_os_x_server>= 10.0.0 < 10.4.1110.4.11
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiantcpdump< tcpdump 3.9.5-3 (bookworm)tcpdump 3.9.5-3 (bookworm)
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd>= 5.0 < 5.55.5
freebsdfreebsd>= 6.0 < 6.16.1
slackwareslackware
slackwareslackware
slackwareslackware
slackwareslackware
slackwareslackware
slackwareslackware
slackwareslackware
tcpdumptcpdump<= 3.9.6
tcpdumptcpdump>= 0 < 3.9.5-33.9.5-3
tcpdumptcpdump>= 0 < 3.9.5-33.9.5-3
tcpdumptcpdump>= 0 < 3.9.5-33.9.5-3
tcpdumptcpdump>= 0 < 3.9.5-33.9.5-3

Detection & IOCsextracted from sources · hover to see the quote

port179
commandsendto() crafted BGP UPDATE packet with BGPTYPE_MP_REACH_NLRI (type 14), AFNUM_L2VPN (196), SAFNUM_VPNUNICAST (128), tlen=0xFFFF, marker=0xFF*15, type=0x01, len=0x02
pathsrc/contrib/tcpdump/print-bgp.c
bytes
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF (16-byte BGP marker) followed by 02 00 02 00 00 00 FF 00 0E FF
  • Monitor for crafted BGP packets on TCP port 179 containing MP_REACH_NLRI (type 14) attributes with AFNUM_L2VPN (0xC4/196) and SAFNUM_VPNUNICAST (0x80/128) that trigger integer overflow in tcpdump's BGP dissector (print-bgp.c). Oversized attr length (0xFF) combined with tlen fields of 0xFFFF are characteristic of exploitation.
  • The vulnerability is a stack-based buffer overflow triggered by an unchecked return value in the BGP dissector (print-bgp.c). Detection should focus on tcpdump process crashes or unexpected termination when processing BGP traffic, which may indicate failed exploitation attempts.
  • Affected versions are tcpdump 3.9.6 and earlier. Verify installed version; any tcpdump <= 3.9.6 processing live BGP traffic is at risk. The exploit targets the decode_labeled_vpn_l2 code path within the MP_REACH_NLRI attribute handler.
  • ·tcpdump requires elevated privileges to open live network interfaces, limiting the attack surface to systems where tcpdump is actively run against live BGP traffic by a privileged user.
  • ·Red Hat Enterprise Linux 2.1 and 3 ship versions of tcpdump not affected by this issue; detection rules targeting RHEL should account for this.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.