|
| PROBLEM: |
Several security issues have been addressed in the 0.10.12 release of Ethereal. Ethereal is a widely used open source network protocol analyzer.
|
| PLATFORM: |
Ethereal versions 0.8.5 up to and including 0.10.11
|
| DAMAGE: |
It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
|
| SOLUTION: |
Apply the security updates.
|
|
VULNERABILITY
ASSESSMENT: |
The risk is HIGH. Exploiting the vulnerabilities may cause Ethereal to crash, use up memory, or run arbitrary code by injecting a carefully crafted malformed packet onto the wire. Ethereal is typically invoked by the root user.
|
|
Name: Multiple problems in Ethereal versions 0.8.5 to 0.10.10
Docid: enpa-sa-00020
Date: July 26, 2005
Versions affected: 0.8.5 up to and including 0.10.11
Severity: High
Description:
Our testing program has turned up several more security issues:
- The LDAP dissector could free static memory and crash. Versions affected: 0.8.5 to 0.10.11
- The AgentX dissector could crash. Versions affected: 0.10.10 to 0.10.11
- The 802.3 dissector could go into an infinite loop. Versions affected: 0.8.16 to 0.10.11
- The PER dissector could abort. Versions affected: 0.10.5 to 0.10.11
- The DHCP dissector could go into an infinite loop. Versions affected: 0.10.7 to 0.10.11
- The BER dissector could abort or loop infinitely. Version affected: 0.10.11
- The MEGACO dissector could go into an infinite loop. Versions affected: 0.9.14 to 0.10.11
- The GIOP dissector could dereference a null pointer. Versions affected: 0.8.20 to 0.10.11
- The SMB dissector was susceptible to a buffer overflow. Versions affected: 0.9.12 to 0.10.11
- The WBXML could dereference a null pointer. Versions affected: 0.10.1 to 0.10.11
- The H1 dissector could go into an infinite loop. Versions affected: 0.8.15 to 0.10.11
- The DOCSIS dissector could cause a crash. Versions affected: 0.9.13 to 0.10.11
- The SMPP dissector could go into an infinite loop. Versions affected: 0.10.1 to 0.10.11
- SCTP graphs could crash. Version affected: 0.10.11
- The HTTP dissector could crash. Versions affected: 0.10.4 to 0.10.11
- The SMB dissector could go into a large loop. Versions affected: 0.9.0 to 0.10.11
- The DCERPC dissector could crash. Versions affected: 0.9.16 to 0.10.11.
- Several dissectors could crash while reassembling packets. Versions affected: 0.9.0 to 0.10.11
Steve Grubb at Red Hat found the following issues:
- The CAMEL dissector could dereference a null pointer. Version affected: 0.10.11
- The DHCP dissector could crash. Versions affected: 0.10.4 to 0.10.11
- The CAMEL dissector could crash. Versions affected: 0.10.10 to 0.10.11
- The PER dissector could crash. Versions affected: 0.10.10 to 0.10.11
- The RADIUS dissector could crash. Versions affected: 0.9.4 to 0.10.11
- The Telnet dissector could crash. Versions affected: 0.9.10 to 0.10.11
- The IS-IS LSP dissector could crash. Versions affected: 0.8.19 to 0.10.11
- The NCP dissector could crash. Versions affected: 0.9.15 to 0.10.11
iDEFENSE found the following issues:
- Several dissectors were susceptible to a format string overflow. Versions affected: 0.9.4 to 0.10.11
Ethereal uses the zlib compression library. Security vulnerabilities have been discovered in zlib 1.2.1 and 1.2.2. The Windows installer now ships with zlib 1.2.3, which fixes these vulnerabilities.
Impact:
It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Resolution:
Upgrade to 0.10.12. Due to the severity and scope of the defects that have been discovered, no workaround is available.
INFORMATION BULLETIN