CVE-2016-7973 Tcpdump CVE debrief

Who should care

Administrators, distro maintainers, and security teams responsible for systems running tcpdump prior to the fixed release should prioritize this CVE, especially where tcpdump may process externally supplied packet data or capture files.

Technical summary

The supplied description identifies a buffer overflow in tcpdump’s AppleTalk parser in print-atalk.c, affecting multiple functions. NVD classifies the weakness as CWE-119 and lists tcpdump versions through 4.8.1 as vulnerable in the CPE data, while the description text says the issue affects versions before 4.9.0. The CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high-impact flaw with no privileges or user interaction required.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade tcpdump to a fixed release as soon as possible; the supplied description indicates the issue is addressed in 4.9.0 and later.
• Inventory all hosts, containers, and appliances that include tcpdump, including vendor-packaged or backported builds, so no vulnerable copy is missed.
• If you cannot patch immediately, minimize or suspend use of tcpdump on untrusted packet data and restrict access to systems that run it.
• Check distro guidance and backport status for Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30 to confirm the exact remediation for your platform.

Evidence notes

Evidence comes from the supplied CVE/NVD corpus. The CVE was published on 2017-01-28. NVD marks the weakness as CWE-119 and gives a CVSS 3.0 score of 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The supplied description says tcpdump before 4.9.0 is affected, while the NVD CPE range lists vulnerable versions through 4.8.1; treat the exact cutoff as something to verify against vendor or distro advisories. No KEV entry was supplied.

Official resources