Can you explain this vulnerability to me?

This vulnerability is a double free bug in the tcpreplay 4.5.1 software, specifically in the tcprewrite utility's dlt_linuxsll2_cleanup() function. It occurs when the cleanup routine frees the same memory region twice during the closing of the tcpedit context after processing a specially crafted pcap file. This double free leads to memory corruption and causes the program to crash or terminate unexpectedly. [1, 2]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

Exploiting this vulnerability allows a local attacker to cause a Denial of Service (DoS) by crashing the tcprewrite program through memory corruption. This can disrupt services or workflows that rely on tcpreplay's tcprewrite utility, potentially leading to downtime or interruption of network traffic replay tasks. [1, 2]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by running the tcprewrite utility from tcpreplay version 4.5.1 on a specially crafted pcap file that triggers the double-free bug. Using AddressSanitizer when compiling tcpreplay can help detect the double-free by reporting attempts to free the same memory region twice. A suggested command to reproduce and detect the issue is: `src/tcprewrite -i ./poc -o /dev/null`, where `./poc` is a proof-of-concept pcap file crafted to trigger the vulnerability. [1, 2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade tcpreplay to version 4.5.2 or later, where this double-free vulnerability has been fixed. Avoid running tcprewrite on untrusted or specially crafted pcap files until the update is applied to prevent Denial of Service via memory corruption. [2]

Useful 0 Not Useful 0