9.3 - VU#243670

Executive Summary

Summary
Title	Wireshark DECT dissector vulnerability

Informations
Name	VU#243670	First vendor Publication	2011-04-18
Vendor	VU-CERT	Last vendor Modification	2011-04-18
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#243670

Wireshark DECT dissector vulnerability

Overview

Wireshark's DECT dissector contains a remote code execution vulnerability in the context of the user running a packet capture or reading a packet capture file.

I. Description

Paul Makowski's report states:

/epan/dissectors/packet-dect.c contains a stack-based buffer overflow via a call to memcpy() whose length is controlled by the attacker. Absent exploit mitigations independant of Wireshark's default build options, an attacker is able to execute arbitrary code in the context of the user running a packet capture. On *NIX systems, such capability is frequently reserved for the root user. The overflowable buffer is pkt_bfield.Data.

II. Impact

An attacker may cause any active capture or .pcap dissection to crash Wireshark/tshark. Remote code execution is also possible.

III. Solution

Apply an Update

Upgrade to Wireshark 1.4.5. Several other security related fixes are also included in this version.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Wireshark	Affected		2011-04-18

References

http://www.wireshark.org/lists/wireshark-announce/201104/msg00002.html
http://www.wireshark.org/docs/relnotes/wireshark-1.4.5.html
http://www.wireshark.org/download.html

Credit

Thanks to Paul Makowski working for CERT/CC for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:	2011-04-17
Date First Published:	2011-04-18
Date Last Updated:	2011-04-18
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:	0.09
Document Revision:	5

Original Source

Url : http://www.kb.cert.org/vuls/id/243670

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15000

Oval ID:	oval:org.mitre.oval:def:15000
Title:	Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5
Description:	Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-1591	Version:	6
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012	Product(s):	Wireshark
Definition Synopsis:
Wireshark is installed on the system. AND Version of Wireshark is 1.4.x before 1.4.5

CPE : Common Platform Enumeration

Type	Description	Count
Application	Wireshark cpe:2.3:a:wireshark:wireshark:1.4.4:::::::* cpe:2.3:a:wireshark:wireshark:1.4.3:::::::* cpe:2.3:a:wireshark:wireshark:1.4.2:::::::* cpe:2.3:a:wireshark:wireshark:1.4.1:::::::* cpe:2.3:a:wireshark:wireshark:1.4.0:::::::*	5

SAINT Exploits

Description	Link
Wireshark DECT Dissector PCAP File Processing Overflow	More info here
Wireshark DECT Dissector Remote Stack Buffer Overflow	More info here

OpenVAS Exploits

Date	Description
2012-04-25	Name : Wireshark DECT Buffer Overflow Vulnerability (Mac OS X) File : nvt/secpod_wireshark_dect_bof_vuln_macosx.nasl
2012-02-12	Name : Gentoo Security Advisory GLSA 201110-02 (wireshark) File : nvt/glsa_201110_02.nasl
2011-05-17	Name : Mandriva Update for wireshark MDVSA-2011:083 (wireshark) File : nvt/gb_mandriva_MDVSA_2011_083.nasl
2011-05-16	Name : Wireshark Denial of Service and Buffer Overflow Vulnerabilities (Windows) File : nvt/gb_wireshark_mult_vuln_win_may11.nasl
2011-05-05	Name : Fedora Update for wireshark FEDORA-2011-5529 File : nvt/gb_fedora_2011_5529_wireshark_fc13.nasl
2011-05-05	Name : Fedora Update for wireshark FEDORA-2011-5569 File : nvt/gb_fedora_2011_5569_wireshark_fc14.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
71848	Wireshark epan/dissectors/packet-dect.c DECT Dissector Overflow Wireshark is prone to an overflow condition. The DECT dissector in epan/dissectors/packet-dect.c fails to properly sanitize user-supplied input resulting in a buffer overflow. With a specially crafted packet, a remote attacker can potentially execute arbitrary code.

Snort® IPS/IDS

Date	Description
2016-03-14	Wireshark DECT packet dissector overflow attempt RuleID : 36855 - Revision : 3 - Type : FILE-OTHER
2014-01-10	Wireshark DECT packet dissector overflow attempt RuleID : 20431 - Revision : 8 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date	Description
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_wireshark-110511.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_wireshark-110511.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_wireshark-7500.nasl - Type : ACT_GATHER_INFO
2011-10-10	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-02.nasl - Type : ACT_GATHER_INFO
2011-06-08	Name : The remote SuSE 11 host is missing a security update. File : suse_11_wireshark-110503.nasl - Type : ACT_GATHER_INFO
2011-06-08	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_wireshark-7501.nasl - Type : ACT_GATHER_INFO
2011-05-13	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-083.nasl - Type : ACT_GATHER_INFO
2011-04-27	Name : The remote Fedora host is missing a security update. File : fedora_2011-5529.nasl - Type : ACT_GATHER_INFO
2011-04-27	Name : The remote Fedora host is missing a security update. File : fedora_2011-5569.nasl - Type : ACT_GATHER_INFO
2011-04-27	Name : The remote Fedora host is missing a security update. File : fedora_2011-5621.nasl - Type : ACT_GATHER_INFO
2011-04-18	Name : The remote Windows host contains an application that is affected by multiple ... File : wireshark_1_4_5.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	5
Saint Exploit(s)	2
osvdb(s)	1
Openvas Exploit(s)	6
Snort® Rule(s)	2
Nessus® Exploit(s)	11

	Related
9.3	CVE-2011-1591
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)