[oss-security] 20120829 Re: CVE Request -- wireshark (X >= 1.6.8): DoS (excessive CPU use and infinite loop) in DRDA dissector

54425

GLSA-201308-05

1027464

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7666

https://bugzilla.redhat.com/show_bug.cgi?id=849926

oval:org.mitre.oval:def:15646

The remote Solaris system is missing necessary patches to address security updates :

  - The dissect_drda function in     epan/dissectors/packet-drda.c in Wireshark 1.6.x through     1.6.10 and 1.8.x through 1.8.2 allows remote attackers     to cause a denial of service (infinite loop and CPU     consumption) via a small value for a certain length     field in a capture file. (CVE-2012-3548)

  - The dissect_hsrp function in     epan/dissectors/packet-hsrp.c in the HSRP dissector in     Wireshark 1.8.x before 1.8.3 allows remote attackers to     cause a denial of service (infinite loop) via a     malformed packet. (CVE-2012-5237)

  - epan/dissectors/packet-ppp.c in the PPP dissector in     Wireshark 1.8.x before 1.8.3 uses incorrect OUI data     structures during the decoding of (1) PPP and (2) LCP     data, which allows remote attackers to cause a denial of     service (assertion failure and application exit) via a     malformed packet. (CVE-2012-5238)

  - Buffer overflow in the dissect_tlv function in     epan/dissectors/packet-ldp.c in the LDP dissector in     Wireshark 1.8.x before 1.8.3 allows remote attackers to     cause a denial of service (application crash) or     possibly have unspecified other impact via a malformed     packet. (CVE-2012-5240)

The remote host is affected by the vulnerability described in GLSA-201308-05 (Wireshark: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Wireshark. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities has been found and corrected in wireshark :

Infinite and large loops in ANSI MAP, BACapp, Bluetooth HCI, IEEE 802.3, LTP, and R3 dissectors have been fixed. Discovered by Laurent Butti (http://www.wireshark.org/security/wnpa-sec-2012-08.html [CVE-2012-2392])

The DIAMETER dissector could try to allocate memory improperly and crash (http://www.wireshark.org/security/wnpa-sec-2012-09.html [CVE-2012-2393])

Wireshark could crash on SPARC processors due to misaligned memory.
Discovered by Klaus Heckelmann (http://www.wireshark.org/security/wnpa-sec-2012-10.html [CVE-2012-2394])

The PPP dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via a crafted packet, as demonstrated by a usbmon dump (CVE-2012-4048).

epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote attackers to cause a denial of service (loop and CPU consumption) via a crafted packet (CVE-2012-4049).

The DCP ETSI dissector could trigger a zero division (CVE-2012-4285).

The XTP dissector could go into an infinite loop (CVE-2012-4288).

The AFP dissector could go into a large loop (CVE-2012-4289).

The RTPS2 dissector could overflow a buffer (CVE-2012-4296).

The GSM RLC MAC dissector could overflow a buffer (CVE-2012-4297).

The CIP dissector could exhaust system memory (CVE-2012-4291).

The STUN dissector could crash (CVE-2012-4292).

The EtherCAT Mailbox dissector could abort (CVE-2012-4293).

The CTDB dissector could go into a large loop (CVE-2012-4290).

Martin Wilck discovered an infinite loop in the DRDA dissector (CVE-2012-5239).

The USB dissector could go into an infinite loop. (wnpa-sec-2012-31)

The ISAKMP dissector could crash. (wnpa-sec-2012-35)

The iSCSI dissector could go into an infinite loop. (wnpa-sec-2012-36)

The WTP dissector could go into an infinite loop. (wnpa-sec-2012-37)

The RTCP dissector could go into an infinite loop. (wnpa-sec-2012-38)

The ICMPv6 dissector could go into an infinite loop.
(wnpa-sec-2012-40)

Infinite and large loops in the Bluetooth HCI, CSN.1, DCP-ETSI DOCSIS CM-STAUS, IEEE 802.3 Slow Protocols, MPLS, R3, RTPS, SDP, and SIP dissectors (wnpa-sec-2013-01).

The CLNP dissector could crash (wnpa-sec-2013-02).

The DTN dissector could crash (wnpa-sec-2013-03).

The MS-MMC dissector (and possibly others) could crash (wnpa-sec-2013-04).

The DTLS dissector could crash (wnpa-sec-2013-05).

The DCP-ETSI dissector could corrupt memory (wnpa-sec-2013-07).

The Wireshark dissection engine could crash (wnpa-sec-2013-08).

The NTLMSSP dissector could overflow a buffer (wnpa-sec-2013-09).

The sFlow dissector could go into an infinite loop (CVE-2012-6054).

The SCTP dissector could go into an infinite loop (CVE-2012-6056).

The MS-MMS dissector could crash (CVE-2013-2478).

The RTPS and RTPS2 dissectors could crash (CVE-2013-2480).

The Mount dissector could crash (CVE-2013-2481).

The AMPQ dissector could go into an infinite loop (CVE-2013-2482).

The ACN dissector could attempt to divide by zero (CVE-2013-2483).

The CIMD dissector could crash (CVE-2013-2484).

The FCSP dissector could go into an infinite loop (CVE-2013-2485).

The DTLS dissector could crash (CVE-2013-2488).

This advisory provides the latest version of Wireshark (1.6.14) which is not vulnerable to these issues.

Wireshark reports :

The HSRP dissector could go into an infinite loop.

The PPP dissector could abort.

Martin Wilck discovered an infinite loop in the DRDA dissector.

Laurent Butti discovered a buffer overflow in the LDP dissector.

The installed version of Wireshark 1.8 is earlier than 1.8.3.  It thus is affected by the following vulnerabilities :

  - A malformed packet can cause the 'DRDA' and 'HSRP'     dissectors to enter an infinite loop, thereby consuming     excessive CPU resources. (CVE-2012-3548, CVE-2012-5237)

  - A malformed packet can cause the 'PPP' dissector to     crash the application. (CVE-2012-5238)

  - A malformed packet can trigger a buffer overflow in the     'LDP' dissector, which results in an application crash.
    (CVE-2012-5240)

The installed version of Wireshark 1.6 is earlier than 1.6.11.  It thus is affected by a denial of service vulnerability.  A malformed packet can cause the 'DRDA' dissector to enter an infinite loop thereby consuming excessive CPU resources.

RedHat security team reports :

A denial of service flaw was found in the way Distributed Relational Database Architecture (DRDA) dissector of Wireshark, a network traffic analyzer, performed processing of certain DRDA packet capture files. A remote attacker could create a specially crafted capture file that, when opened could lead to wireshark executable to consume excessive amount of CPU time and hang with an infinite loop.

ID	Name	Product	Family	Severity
80805	Oracle Solaris Third-Party Patch Update : wireshark (multiple_vulnerabilities_in_wireshark4)	Nessus	Solaris Local Security Checks	medium
69500	GLSA-201308-05 : Wireshark: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
66069	Mandriva Linux Security Advisory : wireshark (MDVSA-2013:055)	Nessus	Mandriva Local Security Checks	high
62649	FreeBSD : Wireshark -- Multiple Vulnerabilities (a7706414-1be7-11e2-9aad-902b343deec9)	Nessus	FreeBSD Local Security Checks	medium
62478	Wireshark 1.8.x < 1.8.3 Multiple Vulnerabilities	Nessus	Windows	medium
62477	Wireshark 1.6.x < 1.6.11 DRDA DoS	Nessus	Windows	medium
61763	FreeBSD : wireshark -- denial of service in DRDA dissector (5415f1b3-f33d-11e1-8bd8-0022156e8794)	Nessus	FreeBSD Local Security Checks	medium

CVE-2012-3548

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

medium

high

high

medium

medium

medium

medium