The fragment_add_work function in epan/reassemble.c in Wireshark 0.8.19 through 1.0.1 allows remote attackers to cause a denial of service (crash) via a series of fragmented packets with non-sequential fragmentation offset values, which lead to a buffer over-read.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2008-0890 advisory.

    [1.0.3-4.0.1.el5_2]
    - Add oracle-ocfs2-network.patch

    [1.0.3-4]
    - fix pam session file, wireshark requires root pswd everytime its started

    [1.0.3-3]
    - fix pie flags

    [1.0.3-1]
    - upgrade to 1.0.3
    - fixes several security issues
    - Resolves: #461569

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple buffer overflow flaws were found in Wireshark. If Wireshark read a malformed packet off a network, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2008-3146)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malformed dump file. (CVE-2008-1070, CVE-2008-1071, CVE-2008-1072, CVE-2008-1561, CVE-2008-1562, CVE-2008-1563, CVE-2008-3137, CVE-2008-3138, CVE-2008-3141, CVE-2008-3145, CVE-2008-3932, CVE-2008-3933, CVE-2008-3934)

Additionally, this update changes the default Pluggable Authentication Modules (PAM) configuration to always prompt for the root password before each start of Wireshark. This avoids unintentionally running Wireshark with root privileges.

Various vulnerabilities have been fixed in ethereal: CVE-2008-3137, CVE-2008-3138, CVE-2008-3139, CVE-2008-3140, CVE-2008-3141, CVE-2008-3145 and CVE-2008-3146.

Various vulnerabilities have been fixed in wireshark: CVE-2008-3137, CVE-2008-3138, CVE-2008-3139, CVE-2008-3140, CVE-2008-3141, CVE-2008-3145 and CVE-2008-3146.

A number of vulnerabilities were discovered in Wireshark that could cause it to crash while processing malicious packets (CVE-2008-3137, CVE-2008-3138, CVE-2008-3139, CVE-2008-3140, CVE-2008-3141, CVE-2008-3145).

This update provides Wireshark 1.0.2, which is not vulnerable to these issues.

Several remote vulnerabilities have been discovered in network traffic analyzer Wireshark. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3137     The GSM SMS dissector is vulnerable to denial of     service.

  - CVE-2008-3138     The PANA and KISMET dissectors are vulnerable to denial     of service.

  - CVE-2008-3141     The RMI dissector could disclose system memory.

  - CVE-2008-3145     The packet reassembling module is vulnerable to denial     of service.

  - CVE-2008-3933     The zlib uncompression module is vulnerable to denial of     service.

  - CVE-2008-4683     The Bluetooth ACL dissector is vulnerable to denial of     service.

  - CVE-2008-4684     The PRP and MATE dissectors are vulnerable to denial of     service.

  - CVE-2008-4685     The Q931 dissector is vulnerable to denial of service.

Updated wireshark packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal.

Multiple buffer overflow flaws were found in Wireshark. If Wireshark read a malformed packet off a network, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2008-3146)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malformed dump file. (CVE-2008-1070, CVE-2008-1071, CVE-2008-1072, CVE-2008-1561, CVE-2008-1562, CVE-2008-1563, CVE-2008-3137, CVE-2008-3138, CVE-2008-3141, CVE-2008-3145, CVE-2008-3932, CVE-2008-3933, CVE-2008-3934)

Additionally, this update changes the default Pluggable Authentication Modules (PAM) configuration to always prompt for the root password before each start of Wireshark. This avoids unintentionally running Wireshark with root privileges.

Users of wireshark should upgrade to these updated packages, which contain Wireshark version 1.0.3, and resolve these issues.

Various vulnerabilities have been fixed in wireshark: CVE-2008-3137 / CVE-2008-3138 / CVE-2008-3139 / CVE-2008-3140 / CVE-2008-3141 / CVE-2008-3145 / CVE-2008-3146.

The remote host is affected by the vulnerability described in GLSA-200808-04 (Wireshark: Denial of Service)

    Multiple vulnerabilities related to memory management were discovered     in the GSM SMS dissector (CVE-2008-3137), the PANA and KISMET     dissectors (CVE-2008-3138), the RTMPT dissector (CVE-2008-3139), the     syslog dissector (CVE-2008-3140) and the RMI dissector (CVE-2008-3141)     and when reassembling fragmented packets (CVE-2008-3145).
  Impact :

    A remote attacker could exploit these vulnerabilities by sending a     specially crafted packet on a network being monitored by Wireshark or     enticing a user to read a malformed packet trace file, causing a Denial     of Service.
  Workaround :

    There is no known workaround at this time.

Upgrade to upstream 1.0.2 that fixes several security vulnerabilities:
http://www.wireshark.org/security/wnpa-sec-2008-03.html http://www.wireshark.org/security/wnpa-sec-2008-04.html

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
67748	Oracle Linux 5 : wireshark (ELSA-2008-0890)	Nessus	Oracle Linux Local Security Checks	high
60479	Scientific Linux Security Update : wireshark on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
41234	SuSE9 Security Update : ethereal (YOU Patch Number 12225)	Nessus	SuSE Local Security Checks	critical
40151	openSUSE Security Update : wireshark (wireshark-149)	Nessus	SuSE Local Security Checks	critical
36557	Mandriva Linux Security Advisory : wireshark (MDVSA-2008:152)	Nessus	Mandriva Local Security Checks	medium
34974	Debian DSA-1673-1 : wireshark - several vulnerabilities	Nessus	Debian Local Security Checks	medium
34328	RHEL 3 / 4 / 5 : wireshark (RHSA-2008:0890)	Nessus	Red Hat Local Security Checks	critical
34326	CentOS 3 / 4 / 5 : wireshark (CESA-2008:0890)	Nessus	CentOS Local Security Checks	critical
34047	openSUSE 10 Security Update : wireshark (wireshark-5515)	Nessus	SuSE Local Security Checks	critical
34046	SuSE 10 Security Update : ethereal (ZYPP Patch Number 5520)	Nessus	SuSE Local Security Checks	critical
33834	GLSA-200808-04 : Wireshark: Denial of Service	Nessus	Gentoo Local Security Checks	medium
33553	Fedora 8 : wireshark-1.0.2-1.fc8 (2008-6645)	Nessus	Fedora Local Security Checks	medium
33521	Fedora 9 : wireshark-1.0.2-1.fc9 (2008-6440)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2008-3145

high

Tenable Plugins

high

critical

critical

critical

medium

medium

critical

critical

critical

critical

medium

medium

medium