RHSA-2011:0370

Executive Summary

Summary
Title	wireshark security update

Informations
Name	RHSA-2011:0370	First vendor Publication	2011-03-21
Vendor	RedHat	Last vendor Modification	2011-03-21
Severity (Vendor)	Moderate	Revision	01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated wireshark packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

Wireshark is a program for monitoring network traffic. Wireshark was
previously known as Ethereal.

A heap-based buffer overflow flaw was found in Wireshark. If Wireshark
opened a specially-crafted capture file, it could crash or, possibly,
execute arbitrary code as the user running Wireshark. (CVE-2011-0024)

Several denial of service flaws were found in Wireshark. Wireshark could
crash or stop responding if it read a malformed packet off a network, or
opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139,
CVE-2011-1140, CVE-2011-1141, CVE-2011-1143)

Users of Wireshark should upgrade to these updated packages, which contain
backported patches to correct these issues. All running instances of
Wireshark must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

639486 - CVE-2010-3445 wireshark: stack overflow in BER dissector
671331 - CVE-2011-0024 heap-based buffer overflow in wireshark < 1.2 when reading malformed capture files
676232 - CVE-2011-0538 Wireshark: memory corruption when reading a malformed pcap file (upstream bug #5652)
681748 - CVE-2011-1139 Wireshark: Denial Of Service (application crash) via a pcap-ng file that contains a large packet-length field
681754 - CVE-2011-1140 Wireshark: Multiple stack consumption vulnerabilities caused DoS via crafted SMB or CLDAP packet
681756 - CVE-2011-1141 Wireshark: Malformed LDAP filter string causes Denial of Service via excessive memory consumption
681760 - CVE-2011-1143 Wireshark: Null pointer dereference causing application crash when reading malformed pcap file

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2011-0370.html

CWE : Common Weakness Enumeration

id	Name
CWE-399	Resource Management Errors
CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14607

Oval ID:	oval:org.mitre.oval:def:14607
Title:	Stack consumption vulnerability in the dissect_ber_unknown function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.4.x before 1.4.1 and 1.2.x before 1.2.12
Description:	Stack consumption vulnerability in the dissect_ber_unknown function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.4.x before 1.4.1 and 1.2.x before 1.2.12 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a long string in an unknown ASN.1/BER encoded packet, as demonstrated using SNMP.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2010-3445	Version:	4
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	Wireshark
Definition Synopsis:
Wireshark is installed on the system. AND Version of Wireshark is 1.4.x before 1.4.1 or 1.2.x before 1.2.12

Definition Id: oval:org.mitre.oval:def:14605

Oval ID:	oval:org.mitre.oval:def:14605
Title:	Vulnerability in pcap-ng processing in Wireshark 1.2.0 through 1.2.14, 1.4.0 through 1.4.3, and 1.5.0
Description:	Wireshark 1.2.0 through 1.2.14, 1.4.0 through 1.4.3, and 1.5.0 frees an uninitialized pointer during processing of a .pcap file in the pcap-ng format, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed file.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-0538	Version:	4
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	Wireshark
Definition Synopsis:
Wireshark is installed on the system. AND Version of Wireshark is 1.2.0 through 1.2.14, 1.4.0 through 1.4.3, or 1.5.0

Definition Id: oval:org.mitre.oval:def:14997

Oval ID:	oval:org.mitre.oval:def:14997
Title:	Vulnerability in wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3
Description:	wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) via a pcap-ng file that contains a large packet-length field.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-1139	Version:	4
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	Wireshark
Definition Synopsis:
Wireshark is installed on the system. AND Version of Wireshark is 1.2.0 through 1.2.14 or 1.4.0 through 1.4.3

Definition Id: oval:org.mitre.oval:def:14715

Oval ID:	oval:org.mitre.oval:def:14715
Title:	Multiple stack consumption vulnerabilities in the dissect_ms_compressed_string and dissect_mscldap_string functions in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3
Description:	Multiple stack consumption vulnerabilities in the dissect_ms_compressed_string and dissect_mscldap_string functions in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allow remote attackers to cause a denial of service (infinite recursion) via a crafted (1) SMB or (2) Connection-less LDAP (CLDAP) packet.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-1140	Version:	4
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	Wireshark
Definition Synopsis:
Wireshark is installed on the system. AND Version of Wireshark is 1.0.x, 1.2.0 through 1.2.14, or 1.4.0 through 1.4.3

Definition Id: oval:org.mitre.oval:def:14974

Oval ID:	oval:org.mitre.oval:def:14974
Title:	Vulnerability in epan/dissectors/packet-ldap.c in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3
Description:	epan/dissectors/packet-ldap.c in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (memory consumption) via (1) a long LDAP filter string or (2) an LDAP filter string containing many elements.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-1141	Version:	4
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	Wireshark
Definition Synopsis:
Wireshark is installed on the system. AND Version of Wireshark is 1.0.x, 1.2.0 through 1.2.14, or 1.4.0 through 1.4.3

Definition Id: oval:org.mitre.oval:def:16209

Oval ID:	oval:org.mitre.oval:def:16209
Title:	epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file
Description:	epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-1143	Version:	2
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	Wireshark
Definition Synopsis:
Wireshark is installed on the system. AND Version of Wireshark is less than 1.4.4 AND Version of Wireshark is greater than or equals 0.99.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Wireshark Wireshark cpe:/a:wireshark:wireshark:1.5.0 cpe:/a:wireshark:wireshark:1.4.3 cpe:/a:wireshark:wireshark:1.4.2 cpe:/a:wireshark:wireshark:1.4.1 cpe:/a:wireshark:wireshark:1.4.0 cpe:/a:wireshark:wireshark:1.2.9 cpe:/a:wireshark:wireshark:1.2.8 cpe:/a:wireshark:wireshark:1.2.7 cpe:/a:wireshark:wireshark:1.2.6 cpe:/a:wireshark:wireshark:1.2.5 cpe:/a:wireshark:wireshark:1.2.4 cpe:/a:wireshark:wireshark:1.2.3 cpe:/a:wireshark:wireshark:1.2.2 cpe:/a:wireshark:wireshark:1.2.15 cpe:/a:wireshark:wireshark:1.2.14 cpe:/a:wireshark:wireshark:1.2.13 cpe:/a:wireshark:wireshark:1.2.12 cpe:/a:wireshark:wireshark:1.2.11 cpe:/a:wireshark:wireshark:1.2.10 cpe:/a:wireshark:wireshark:1.2.1 cpe:/a:wireshark:wireshark:1.2.0 cpe:/a:wireshark:wireshark:1.2 cpe:/a:wireshark:wireshark:1.0.9 cpe:/a:wireshark:wireshark:1.0.8 cpe:/a:wireshark:wireshark:1.0.7 cpe:/a:wireshark:wireshark:1.0.6 cpe:/a:wireshark:wireshark:1.0.5 cpe:/a:wireshark:wireshark:1.0.4 cpe:/a:wireshark:wireshark:1.0.3 cpe:/a:wireshark:wireshark:1.0.2 cpe:/a:wireshark:wireshark:1.0.16 cpe:/a:wireshark:wireshark:1.0.15 cpe:/a:wireshark:wireshark:1.0.14 cpe:/a:wireshark:wireshark:1.0.13 cpe:/a:wireshark:wireshark:1.0.12 cpe:/a:wireshark:wireshark:1.0.11 cpe:/a:wireshark:wireshark:1.0.10 cpe:/a:wireshark:wireshark:1.0.1 cpe:/a:wireshark:wireshark:1.0.0 cpe:/a:wireshark:wireshark:1.0 cpe:/a:wireshark:wireshark:0.99.8 cpe:/a:wireshark:wireshark:0.99.7 cpe:/a:wireshark:wireshark:0.99.6 cpe:/a:wireshark:wireshark:0.99.5 cpe:/a:wireshark:wireshark:0.99.4 cpe:/a:wireshark:wireshark:0.99.3 cpe:/a:wireshark:wireshark:0.99.2	47

Open Source Vulnerability Database (OSVDB)

id	Description
73403	Wireshark wiretap/pcapng.c Crafted Capture File Overflow DoS
71556	Wireshark pcap-ng File Handling Memory Corruption
71555	Wireshark pcap-ng Large packet-length Field DoS
71553	Wireshark Multiple Function SMB Packet Handling DoS
71552	Wireshark Multiple Function CLDAP Packet Handling DoS
71550	Wireshark LDAP Dissector Filter String Memory Consumption DoS
71548	Wireshark NTLMSSP Dissector PCAP File Handling DoS
68129	Wireshark ASN.1 BER Dissector epan/dissectors/packet-ber.c dissect_unknown_be...