CVE-2017-5202 Redhat CVE debrief

Who should care

Anyone running tcpdump before 4.9.0 should treat this as important, especially systems that inspect untrusted network traffic. Administrators of Debian 8/9 and the Red Hat Enterprise Linux variants listed in NVD should also verify whether their packaged tcpdump builds are fixed.

Technical summary

The NVD record identifies a buffer overflow in tcpdump's ISO CLNS parser, specifically print-isoclns.c:clnp_print(), and maps the weakness to CWE-119. The vulnerable range is tcpdump before 4.9.0. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates a remotely reachable issue that does not require privileges or user interaction and can have severe impact if triggered.

Defensive priority

Immediate. This is a critical patching item for any tcpdump deployment that can process untrusted packets.

Recommended defensive actions

• Upgrade tcpdump to 4.9.0 or later.
• Prioritize remediation on hosts that capture, relay, or inspect untrusted network traffic.
• Check distribution backports and vendor advisories for the exact fixed package version on Debian and Red Hat systems.
• Confirm whether any tcpdump instances are embedded in appliances, containers, or monitoring stacks that may need separate updates.
• If patching must be deferred, reduce exposure by limiting tcpdump use on untrusted traffic paths until updates are applied.

Evidence notes

The supplied NVD metadata describes a buffer overflow in tcpdump's ISO CLNS parser, identifies tcpdump versions before 4.9.0 as vulnerable, and assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD also lists Debian, Red Hat, and Gentoo advisories as references and includes Debian 8/9 plus several Red Hat Enterprise Linux CPE entries. The supplied vendor metadata appears inconsistent with the CVE description because the affected product is tcpdump.

Official resources