Stack consumption vulnerability in the dissect_ber_unknown function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.4.x before 1.4.1 and 1.2.x before 1.2.12 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a long string in an unknown ASN.1/BER encoded packet, as demonstrated using SNMP.

Wireshark version 1.4.2 fixes several security issues that allowed attackers to crash wireshark or potentially even execute arbitrary code

(CVE-2010-1455, CVE-2010-2283, CVE-2010-2284, CVE-2010-2285, CVE-2010-2286, CVE-2010-2287, CVE-2010-2992, CVE-2010-2993, CVE-2010-2994, CVE-2010-2995, CVE-2010-3445, CVE-2010-4300, CVE-2010-4301)

From Red Hat Security Advisory 2011:0370 :

Updated wireshark packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal.

A heap-based buffer overflow flaw was found in Wireshark. If Wireshark opened a specially crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0024)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139, CVE-2011-1140, CVE-2011-1141, CVE-2011-1143)

Users of Wireshark should upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0013 advisory.

    [1.2.13-1.0.1.el6_0.2]
    - Add oracle-ocfs2-network.patch to allow disassembly of OCFS2 interconnect       packets bug#11486

    [1.2.13-1.1]
    - fix buffer overflow in ENTTEC dissector
    - Resolves: #667337

    [1.2.13-1]
    - upgrade to 1.2.13
    - see http://www.wireshark.org/docs/relnotes/wireshark-1.2.11.html
    - see http://www.wireshark.org/docs/relnotes/wireshark-1.2.12.html
    - see http://www.wireshark.org/docs/relnotes/wireshark-1.2.13.html
    - Resolves: #657534 (CVE-2010-4300 CVE-2010-3445)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A heap-based buffer overflow flaw was found in Wireshark. If Wireshark opened a specially crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0024)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139, CVE-2011-1140, CVE-2011-1141, CVE-2011-1143)

All running instances of Wireshark must be restarted for the update to take effect.

A heap-based buffer overflow flaw was found in the Wireshark Local Download Sharing Service (LDSS) dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2010-4300)

A denial of service flaw was found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445)

All running instances of Wireshark must be restarted for the update to take effect.

Wireshark was updated to version 1.4.4 to fix several security issues.

The remote host is affected by the vulnerability described in GLSA-201110-02 (Wireshark: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Wireshark. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could send specially crafted packets on a network       being monitored by Wireshark, entice a user to open a malformed packet       trace file using Wireshark, or deploy a specially crafted Lua script for       use by Wireshark, possibly resulting in the execution of arbitrary code,       or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Wireshark was updated to version 1.4.4 to fix several security issues

Updated wireshark packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Wireshark is a program for monitoring network traffic. Wireshark was previously known as Ethereal.

A heap-based buffer overflow flaw was found in Wireshark. If Wireshark opened a specially crafted capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-0024)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139, CVE-2011-1140, CVE-2011-1141, CVE-2011-1143)

Users of Wireshark should upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of Wireshark must be restarted for the update to take effect.

The remote Redhat Enterprise Linux 4 / 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:0370 advisory.

    Wireshark is a program for monitoring network traffic. Wireshark was     previously known as Ethereal.

    A heap-based buffer overflow flaw was found in Wireshark. If Wireshark     opened a specially-crafted capture file, it could crash or, possibly,     execute arbitrary code as the user running Wireshark. (CVE-2011-0024)

    Several denial of service flaws were found in Wireshark. Wireshark could     crash or stop responding if it read a malformed packet off a network, or     opened a malicious dump file. (CVE-2010-3445, CVE-2011-0538, CVE-2011-1139,     CVE-2011-1140, CVE-2011-1141, CVE-2011-1143)

    Users of Wireshark should upgrade to these updated packages, which contain     backported patches to correct these issues. All running instances of     Wireshark must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several security bugs were fixed in this release :

  - CVE-2011-0538: memory corruption when reading a     malformed pcap file

    - CVE-2010-3445: stack overflow in BER dissector

    - CVE-2011-1143: NULL pointer dereference causing       application crash when reading malformed pcap file

    - CVE-2011-1140: Multiple stack consumption       vulnerabilities caused DoS via crafted SMB or CLDAP       packet

    - CVE-2011-1141: Malformed LDAP filter string causes       Denial of Service via excessive memory consumption

    - CVE-2011-1138: Off-by-one error in the       dissect_6lowpan_iphc function causes application crash       (Denial Of Service)

    - CVE-2011-1139: Denial Of Service (application crash)       via a pcap-ng file that contains a large packet-length       field

    - CVE-2011-0713: heap-based buffer overflow when reading       malformed Nokia DCT3 phone signaling traces

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several security bugs were fixed in this release :

  - CVE-2011-0538: memory corruption when reading a     malformed pcap file

    - CVE-2010-3445: stack overflow in BER dissector

    - CVE-2011-1143: NULL pointer dereference causing       application crash when reading malformed pcap file

    - CVE-2011-1140: Multiple stack consumption       vulnerabilities caused DoS via crafted SMB or CLDAP       packet

    - CVE-2011-1138: Off-by-one error in the       dissect_6lowpan_iphc function causes application crash       (Denial Of Service)

    - CVE-2011-1139: Denial Of Service (application crash)       via a pcap-ng file that contains a large packet-length       field

    - CVE-2011-0713: heap-based buffer overflow when reading       malformed Nokia DCT3 phone signaling traces

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2010:0924 advisory.

  - wireshark: stack overflow in BER dissector (CVE-2010-3445)

  - Wireshark: Heap-based buffer overflow in LDSS dissector (CVE-2010-4300)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A flaw has been found in wireshark, a network protocol analyzer.

It was found that the ASN.1 BER dissector was susceptible to a stack overflow, causing the application to crash.

Secunia reports :

A vulnerability has been discovered in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an infinite recursion error in the 'dissect_unknown_ber()' function in epan/dissectors/packet-ber.c and can be exploited to cause a stack overflow e.g. via a specially crafted SNMP packet.

The vulnerability is confirmed in version 1.4.0 and reported in version 1.2.11 and prior and version 1.4.0 and prior.

The installed version of Wireshark is 1.2.x less than 1.2.12 or 1.4.x less than 1.4.1.  Such versions are affected by a denial of service vulnerability.  The ASN.1 BER dissector contains a flaw that can allow a stack overflow that in turn can cause the application to crash.

It was discovered that the ASN.1 BER dissector in wireshark was susceptible to a stack overflow (CVE-2010-3445).

For 2010.0 and 2010.1 wireshark was upgraded to v1.2.12 which is not vulnerable to this issue and was patched for CS4 and MES5 to resolve the vulnerability.

ID	Name	Product	Family	Severity
75771	openSUSE Security Update : wireshark (openSUSE-SU-2011:0010-2)	Nessus	SuSE Local Security Checks	critical
68232	Oracle Linux 4 / 5 : wireshark (ELSA-2011-0370)	Nessus	Oracle Linux Local Security Checks	high
68179	Oracle Linux 5 / 6 : wireshark (ELSA-2011-0013)	Nessus	Oracle Linux Local Security Checks	high
60991	Scientific Linux Security Update : wireshark on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60911	Scientific Linux Security Update : wireshark on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
57261	SuSE 10 Security Update : wireshark (ZYPP Patch Number 7438)	Nessus	SuSE Local Security Checks	critical
56426	GLSA-201110-02 : Wireshark: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
53808	openSUSE Security Update : wireshark (openSUSE-SU-2011:0010-2)	Nessus	SuSE Local Security Checks	critical
53689	openSUSE Security Update : wireshark (openSUSE-SU-2011:0010-1)	Nessus	SuSE Local Security Checks	critical
53319	SuSE 10 Security Update : wireshark (ZYPP Patch Number 7439)	Nessus	SuSE Local Security Checks	critical
53315	SuSE 11.1 Security Update : wireshark (SAT Patch Number 4267)	Nessus	SuSE Local Security Checks	critical
52757	CentOS 4 / 5 : wireshark (CESA-2011:0370)	Nessus	CentOS Local Security Checks	high
52750	RHEL 4 / 5 : wireshark (RHSA-2011:0370)	Nessus	Red Hat Local Security Checks	high
52641	Fedora 14 : wireshark-1.4.4-1.fc14 (2011-2632)	Nessus	Fedora Local Security Checks	medium
52640	Fedora 13 : wireshark-1.2.15-1.fc13 (2011-2620)	Nessus	Fedora Local Security Checks	medium
52590	Fedora 15 : wireshark-1.4.4-1.fc15 (2011-2648)	Nessus	Fedora Local Security Checks	medium
50851	RHEL 6 : wireshark (RHSA-2010:0924)	Nessus	Red Hat Local Security Checks	high
50826	Debian DSA-2127-1 : wireshark - denial of service	Nessus	Debian Local Security Checks	medium
50500	FreeBSD : Wireshark -- DoS in the BER-based dissectors (b2eaa7c2-e64a-11df-bc65-0022156e8794)	Nessus	FreeBSD Local Security Checks	medium
49978	Wireshark < 1.2.12 / 1.4.1 ASN.1 BER Dissector Denial of Service	Nessus	Windows	medium
49970	Mandriva Linux Security Advisory : wireshark (MDVSA-2010:200)	Nessus	Mandriva Local Security Checks	medium

Detections

Analytics

CVE-2010-3445

high

Tenable Plugins

critical

high

high

high

high

critical

critical

critical

critical

critical

critical

high

high

medium

medium

medium

high

medium

medium

medium

medium