CVE-2017-5342 Tcpdump CVE debrief

Who should care

Administrators and defenders running tcpdump 4.8.1 or earlier, especially in environments that parse or inspect Geneve, GRE, NSH, OTV, VXLAN, or VXLAN GPE traffic. Package maintainers and incident response teams should also verify whether downstream vendor builds include the fix.

Technical summary

The issue is a buffer overflow in tcpdump’s ether_print() path, triggered through several protocol parsers in the Ethernet printing logic. Because NVD scores it AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the record treats it as network-reachable, low-complexity, and requiring neither privileges nor user interaction. The root weakness is mapped to CWE-119.

Defensive priority

Urgent

Recommended defensive actions

• Upgrade tcpdump to 4.9.0 or later, or install the vendor backport that includes the fix.
• Check deployed systems for tcpdump versions at or below 4.8.1 and prioritize any systems that handle the listed tunnel encapsulations.
• Apply the relevant vendor advisories referenced in the record, including Debian DSA-3775, Red Hat RHSA-2017:1871, and Gentoo GLSA 201702-30.
• Use package management or asset inventory to confirm that all hosts analyzing packet captures are on a fixed build.

Evidence notes

Primary evidence comes from the CVE description and NVD metadata. The description explicitly names the affected function (print-ether.c:ether_print()) and parser families (Geneve, GRE, NSH, OTV, VXLAN, VXLAN GPE). NVD provides the vulnerable CPE range (tcpdump 4.8.1 and earlier), the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and CWE-119. Additional references in the CVE metadata point to Debian, Red Hat, Gentoo, SecurityFocus, SecurityTracker, and a Debian bug mailing list thread.

Official resources