CVE-2017-13035 in macOS
Summary
by MITRE
The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:isis_print_id().
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/05/2025
The vulnerability identified as CVE-2017-13035 represents a critical buffer over-read flaw within the ISO IS-IS protocol parser of tcpdump software versions prior to 4.9.2. This issue resides in the print-isoclns.c source file at the isis_print_id() function, where improper input validation leads to memory access violations. The affected tcpdump versions process network packets containing IS-IS protocol data, which is commonly used in routing protocols within large enterprise networks and service provider infrastructures. The buffer over-read occurs when the parser attempts to read beyond allocated memory boundaries while processing IS-IS packet identifiers, potentially leading to system instability or information disclosure.
The technical implementation of this vulnerability stems from inadequate bounds checking within the IS-IS parser logic. When tcpdump encounters an IS-IS packet, the isis_print_id() function processes identifier fields without sufficient validation of packet length or structure. This allows an attacker to craft malicious IS-IS packets that contain malformed identifier data, causing the parser to access memory locations beyond the intended buffer boundaries. The flaw manifests as a classic buffer over-read condition classified under CWE-125, where an application reads data past the end of a buffer, potentially exposing sensitive memory contents or causing application crashes. The vulnerability is particularly concerning because IS-IS protocol is widely deployed in network infrastructure, making the attack surface extensive across enterprise and service provider environments.
The operational impact of this vulnerability extends beyond simple denial-of-service conditions to potentially enable information disclosure and remote code execution scenarios. An attacker positioned to inject malicious IS-IS packets into network traffic can trigger the buffer over-read condition, which may result in system crashes or allow extraction of sensitive information from memory. This vulnerability affects network monitoring and security analysis tools that rely on tcpdump for packet inspection, potentially compromising network security operations. The attack vector requires network access to inject malicious IS-IS packets, but given the widespread deployment of IS-IS in core network infrastructure, the potential for exploitation exists in environments where network traffic can be manipulated or intercepted. According to ATT&CK framework, this vulnerability maps to T1046 Network Service Scanning and T1059 Command and Scripting Interpreter, as it enables attackers to manipulate network monitoring tools and potentially escalate privileges through information disclosure.
Mitigation strategies for CVE-2017-13035 primarily involve upgrading tcpdump to version 4.9.2 or later, which contains the necessary patches to address the buffer over-read condition. Network administrators should also implement network segmentation and access controls to limit the exposure of network monitoring tools to untrusted network segments. Additional defensive measures include deploying intrusion detection systems that can detect malformed IS-IS packets and implementing proper network access controls to prevent unauthorized packet injection. Organizations should conduct vulnerability assessments to identify systems running affected tcpdump versions and ensure proper patch management procedures are in place. The fix implemented in tcpdump 4.9.2 includes enhanced bounds checking and input validation within the isis_print_id() function, preventing the buffer over-read condition while maintaining proper protocol parsing functionality. Security teams should also consider implementing network traffic monitoring to detect potential exploitation attempts targeting this vulnerability.