MDVSA-2011:044

1025148

ADV-2011-0622

http://www.wireshark.org/docs/relnotes/wireshark-1.2.15.html

http://www.wireshark.org/docs/relnotes/wireshark-1.4.4.html

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1516

oval:org.mitre.oval:def:14724

From Red Hat Security Advisory 2011:0370 :

Updated wireshark packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal.

A heap-based buffer overflow flaw was found in Wireshark. If Wireshark opened a specially crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0024)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139, CVE-2011-1140, CVE-2011-1141, CVE-2011-1143)

Users of Wireshark should upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect.

The remote host is affected by the vulnerability described in GLSA-201110-02 (Wireshark: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Wireshark. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could send specially crafted packets on a network       being monitored by Wireshark, entice a user to open a malformed packet       trace file using Wireshark, or deploy a specially crafted Lua script for       use by Wireshark, possibly resulting in the execution of arbitrary code,       or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Updated wireshark packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal.

A heap-based buffer overflow flaw was found in Wireshark. If Wireshark opened a specially crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0024)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139, CVE-2011-1140, CVE-2011-1141, CVE-2011-1143)

Users of Wireshark should upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect.

This advisory updates wireshark to the latest version (1.2.15), fixing several security issues :

Wireshark 1.5.0, 1.4.3, and earlier frees an uninitialized pointer during processing of a .pcap file in the pcap-ng format, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed file (CVE-2011-0538).

Heap-based buffer overflow in wiretap/dct3trace.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long record in a Nokia DCT3 trace file (CVE-2011-0713).

wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) via a pcap-ng file that contains a large packet-length field (CVE-2011-1139).

Multiple stack consumption vulnerabilities in the dissect_ms_compressed_string and dissect_mscldap_string functions in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allow remote attackers to cause a denial of service (infinite recursion) via a crafted (1) SMB or (2) Connection-less LDAP (CLDAP) packet (CVE-2011-1140).

epan/dissectors/packet-ldap.c in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (memory consumption) via (1) a long LDAP filter string or (2) an LDAP filter string containing many elements (CVE-2011-1141).

Stack consumption vulnerability in the dissect_ber_choice function in the BER dissector in Wireshark 1.2.x through 1.2.15 and 1.4.x through 1.4.4 might allow remote attackers to cause a denial of service (infinite loop) via vectors involving self-referential ASN.1 CHOICE values (CVE-2011-1142).

epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file (CVE-2011-1143).

The updated packages have been upgraded to the latest 1.2.x version (1.2.15) and patched to correct these issues.

The installed version of Wireshark is 1.0.x or 1.2.x less than 1.2.15 or 1.4.x less than 1.4.4.  Such versions are affected by the following vulnerabilities :

  - The BER dissector may loop indefinitely. (Bug #1516)

  - A crash can occur in the NTLMSSP dissector. (Bug #5157)

  - An error exists in the processing of pcap-ng files     that causes the application to free an uninitialized     pointer. (Bug #5652) 

  - An error exists in the processing of packets having     large length in a pcap-ng file. This can result in     application crashes. (Bug #5661) 

  - A stack overflow vulnerability exists in the LDAP and     SMB dissectors. (Bug #5717) 

  - An error exists in the processing of malformed 6LoWPAN     packets. This affects only 32-bit platforms and can     result in application crashes. (Bug #5722) 

  - An error exists in the processing of large LDAP filter     strings that cause the application to consume excessive     amounts of memory. (Bug #5732)

ID	Name	Product	Family	Severity
68232	Oracle Linux 4 / 5 : wireshark (ELSA-2011-0370)	Nessus	Oracle Linux Local Security Checks	high
56426	GLSA-201110-02 : Wireshark: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
52757	CentOS 4 / 5 : wireshark (CESA-2011:0370)	Nessus	CentOS Local Security Checks	high
52750	RHEL 4 / 5 : wireshark (RHSA-2011:0370)	Nessus	Red Hat Local Security Checks	high
52593	Mandriva Linux Security Advisory : wireshark (MDVSA-2011:044)	Nessus	Mandriva Local Security Checks	medium
52502	Wireshark < 1.2.15 / 1.4.4 Multiple Vulnerabilities	Nessus	Windows	high

CVE-2011-1142

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

high

high

medium

high