May 2005
Ethereal Security Advisory: Multiple security issues in ethereal versions 0.10.10 and prior
ID: 00447
Ref: 413/2005
Date: 27 May 2005:15:18:17
Version: 1
Title: Ethereal Security Advisory: Multiple security issues in ethereal versions 0.10.10 and prior
Abstract: An aggressive testing program as well as independent discovery has turned up a multitude of security issues.
Vendors affected: Ethereal
Operating systems affected: Ethereal
Applications affected: Ethereal
Title
=====
Ethereal Security Advisory: Multiple security issues in ethereal
versions 0.10.10 and prior
Detail
======
An aggressive testing program as well as independent discovery has turned up
a multitude of security issues.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0394 -- Ethereal Security Advisory
Multiple security issues in ethereal versions 0.10.10 and prior
27 May 2005
===========================================================================
Product: ethereal
Publisher: NS Computer Software and Services P/L
Operating System: UNIX variants
Linux variants
Windows
Mac OS X
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2005-1456 CAN-2005-1457 CAN-2005-1458
CAN-2005-1459 CAN-2005-1460 CAN-2005-1461
CAN-2005-1462 CAN-2005-1463 CAN-2005-1464
CAN-2005-1465 CAN-2005-1466 CAN-2005-1467
CAN-2005-1468 CAN-2005-1469 CAN-2005-1470
Original Bulletin: http://www.ethereal.com/appnotes/enpa-sa-00019.html
- - --------------------------BEGIN INCLUDED TEXT--------------------
Summary
Name: Multiple problems in Ethereal versions 0.8.14 to 0.10.10
Docid: enpa-sa-00019
Date: May 4, 2005
Versions affected: 0.8.14 up to and including 0.10.10
Severity: High
Description:
An aggressive testing program as well as independent discovery has turned up
a multitude of security issues:
* The ANSI A dissector was susceptible to format string vulnerabilities.
* The GSM MAP dissector could crash.
* The AIM dissector could cause a crash.
* The DISTCC dissector was susceptible to a buffer overflow.
* The FCELS dissector was susceptible to a buffer overflow.
* The SIP dissector was susceptible to a buffer overflow.
* The KINK dissector was susceptible to a null pointer exception,
endless looping, and other problems.
* The LMP dissector was susceptible to an endless loop.
* The Telnet dissector could abort.
* The TZSP dissector could cause a segmentation fault.
* The WSP dissector was susceptible to a null pointer exception and
assertions.
* The 802.3 Slow protocols dissector could throw an assertion.
* The BER dissector could throw assertions
* The SMB Mailslot dissector was susceptible to a null pointer
exception and could throw assertions.
* The H.245 dissector was susceptible to a null pointer exception.
* The Bittorrent dissector could cause a segmentation fault.
* The SMB dissector could cause a segmentation fault and throw assertions.
* The Fibre Channel dissector could cause a crash.
* The DICOM dissector could attempt to allocate large amounts of memory.
* The MGCP dissector was susceptible to a null pointer exception, could
loop indefinitely, and segfault.
* The RSVP dissector could loop indefinitely.
* The DHCP dissector was susceptible to format string vulnerabilities,
and could abort.
* The SRVLOC dissector could crash unexpectedly or go into an infinite
loop.
* The EIGRP dissector could loop indefinitely.
* The ISIS dissector could overflow a buffer.
* The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified,
and X.509 dissectors could overflow buffers.
* The NDPS dissector could exhaust system memory or cause an assertion, or
crash.
* The Q.931 dissector could try to free a null pointer and overflow a buffer.
* The IAX2 dissector could throw an assertion.
* The ICEP dissector could try to free the same memory twice.
* The MEGACO dissector was susceptible to an infinite loop and a buffer
overflow.
* The DLSw dissector was susceptible to an infinite loop.
* The RPC dissector was susceptible to a null pointer exception.
* The NCP dissector could overflow a buffer or loop for a large amount of
time.
* The RADIUS dissector could throw an assertion.
* The GSM dissector could access an invalid pointer.
* The SMB PIPE dissector could throw an assertion.
* The L2TP dissector was susceptible to an infinite loop.
* The SMB NETLOGON dissector could dereference a null pointer.
* The MRDISC dissector could throw an assertion.
* The ISUP dissector could overflow a buffer or cause a segmentation fault.
* The LDAP dissector could crash.
* The TCAP dissector could overflow a buffer or throw an assertion.
* The NTLMSSP dissector could crash.
* The Presentation dissector could overflow a buffer.
* Additionally, a number of dissectors could throw an assertion when passing
an invalid protocol tree item length.
Impact:
It may be possible to make Ethereal crash, use up available memory, or run
arbitrary code by injecting a purposefully malformed packet onto the wire or
by convincing someone to read a malformed packet trace file.
Resolution:
Upgrade to 0.10.11. Due to the severity and scope of the defects that have
been discovered, no workaround is available.
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQpZ6fSh9+71yA2DNAQLb6wP/Xssc/BCcXF0xw4pT25359jMU3xYL7nQc
tzwOHHeLSj2dEBwx7pzi6hMrFLoNuE2f6W4BI3w+BDrhlJmOOT6g+3scr36A8ze0
9qABLkknX8E2kGOCinwxddHo9kmMlpRlGvVLlQp+8eJD6EcJbclsc/PWgzgAGABt
lFWKOG1DeyA=
=JyWI
- -----END PGP SIGNATURE-----