Multiple integer overflows in Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial of service (loop or application crash) via a malformed packet, related to a crash of the Websocket dissector, an infinite loop in the MySQL dissector, and a large loop in the ETCH dissector.

This wireshark version update to 1.6.16 includes several security and general bug fixes.

http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html

  - The CAPWAP dissector could crash. Discovered by Laurent     Butti. (CVE-2013-4074)

  - The HTTP dissector could overrun the stack. Discovered     by David Keeler. (CVE-2013-4081)

  - The DCP ETSI dissector could crash. (CVE-2013-4083)

http://www.wireshark.org/docs/relnotes/wireshark-1.6.15.html

  - The ASN.1 BER dissector could crash. ( CVE-2013-3556     CVE-2013-3557 )

The releases also fix various non-security issues.

Additionally, a crash in processing SCTP filters has been fixed.
(bug#816887)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Solaris system is missing necessary patches to address security updates :

  - The dissect_diagnosticrequest function in     epan/dissectors/packet-reload.c in the REsource LOcation     And Discovery (aka RELOAD) dissector in Wireshark 1.8.x     before 1.8.6 uses an incorrect integer data type, which     allows remote attackers to cause a denial of service     (infinite loop) via crafted integer values in a packet.
    (CVE-2013-2486)

  - epan/dissectors/packet-reload.c in the REsource LOcation     And Discovery (aka RELOAD) dissector in Wireshark 1.8.x     before 1.8.6 uses incorrect integer data types, which     allows remote attackers to cause a denial of service     (infinite loop) via crafted integer values in a packet,     related to the (1) dissect_icecandidates, (2)     dissect_kinddata, (3) dissect_nodeid_list, (4)     dissect_storeans, (5) dissect_storereq, (6)     dissect_storeddataspecifier, (7) dissect_fetchreq, (8)     dissect_findans, (9) dissect_diagnosticinfo, (10)     dissect_diagnosticresponse, (11)     dissect_reload_messagecontents, and (12)     dissect_reload_message functions, a different     vulnerability than CVE-2013-2486. (CVE-2013-2487)

  - epan/dissectors/packet-gtpv2.c in the GTPv2 dissector in     Wireshark 1.8.x before 1.8.7 calls incorrect functions     in certain contexts related to ciphers, which allows     remote attackers to cause a denial of service     (application crash) via a malformed packet.
    (CVE-2013-3555)

  - The fragment_add_seq_common function in     epan/reassemble.c in the ASN.1 BER dissector in     Wireshark before r48943 has an incorrect pointer     dereference during a comparison, which allows remote     attackers to cause a denial of service (application     crash) via a malformed packet. (CVE-2013-3556)

  - The dissect_ber_choice function in     epan/dissectors/packet-ber.c in the ASN.1 BER dissector     in Wireshark 1.6.x before 1.6.15 and 1.8.x before 1.8.7     does not properly initialize a certain variable, which     allows remote attackers to cause a denial of service     (application crash) via a malformed packet.
    (CVE-2013-3557)

  - The dissect_ccp_bsdcomp_opt function in     epan/dissectors/packet-ppp.c in the PPP CCP dissector in     Wireshark 1.8.x before 1.8.7 does not terminate a     bit-field list, which allows remote attackers to cause a     denial of service (application crash) via a malformed     packet. (CVE-2013-3558)

  - epan/dissectors/packet-dcp-etsi.c in the DCP ETSI     dissector in Wireshark 1.8.x before 1.8.7 uses incorrect     integer data types, which allows remote attackers to     cause a denial of service (integer overflow, and heap     memory corruption or NULL pointer dereference, and     application crash) via a malformed packet.
    (CVE-2013-3559)

  - The dissect_dsmcc_un_download function in     epan/dissectors/packet-mpeg-dsmcc.c in the MPEG DSM-CC     dissector in Wireshark 1.8.x before 1.8.7 uses an     incorrect format string, which allows remote attackers     to cause a denial of service (application crash) via a     malformed packet. (CVE-2013-3560)

  - Multiple integer overflows in Wireshark 1.8.x before     1.8.7 allow remote attackers to cause a denial of     service (loop or application crash) via a malformed     packet, related to a crash of the Websocket dissector,     an infinite loop in the MySQL dissector, and a large     loop in the ETCH dissector. (CVE-2013-3561)

  - Multiple integer signedness errors in the tvb_unmasked     function in epan/ dissectors/packet-websocket.c in the     Websocket dissector in Wireshark 1.8.x before 1.8.7     allow remote attackers to cause a denial of service     (application crash) via a malformed packet.
    (CVE-2013-3562)

  - The dissect_pft function in     epan/dissectors/packet-dcp-etsi.c in the DCP ETSI     dissector in Wireshark 1.6.x before 1.6.16, 1.8.x before     1.8.8, and 1.10.0 does not validate a certain fragment     length value, which allows remote attackers to cause a     denial of service (application crash) via a crafted     packet. (CVE-2013-4083)

Updated wireshark packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Wireshark, previously known as Ethereal, is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network.

Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
(CVE-2013-3559, CVE-2013-4083)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2012-2392, CVE-2012-3825, CVE-2012-4285, CVE-2012-4288, CVE-2012-4289, CVE-2012-4290, CVE-2012-4291, CVE-2012-4292, CVE-2012-5595, CVE-2012-5597, CVE-2012-5598, CVE-2012-5599, CVE-2012-5600, CVE-2012-6056, CVE-2012-6059, CVE-2012-6060, CVE-2012-6061, CVE-2012-6062, CVE-2013-3557, CVE-2013-3561, CVE-2013-4081, CVE-2013-4927, CVE-2013-4931, CVE-2013-4932, CVE-2013-4933, CVE-2013-4934, CVE-2013-4935, CVE-2013-4936, CVE-2013-5721)

The wireshark packages have been upgraded to upstream version 1.8.10, which provides a number of bug fixes and enhancements over the previous versions. For more information on the bugs fixed, enhancements included, and supported protocols introduced, refer to the Wireshark Release Notes, linked to in the References. (BZ#711024)

This update also fixes the following bugs :

* Previously, Wireshark did not parse the RECLAIM-COMPLETE opcode when inspecting traffic generated by NFSv4.1. A patch has been provided to enable the parsing of the RECLAIM_COMPLETE opcode, and Wireshark is now able to properly dissect and handle NFSv4.1 traffic. (BZ#750712)

* Prior to this update, frame arrival times in a text file were reported one hour ahead from the timestamps in the packet capture file. This resulted in various failures being reported by the dfilter-test.py test suite. To fix this bug, frame arrival timestamps have been shifted by one hour, thus fixing this bug. (BZ#832021)

* The 'tshark -D' command returned output to STDERR instead of STDOUT, which could break scripts that are parsing the 'tshark -D' output.
This bug has been fixed, and the 'tshark -D' command now writes output data to a correct standard stream. (BZ#1004636)

* Due to an array overrun, Wireshark could experience undefined program behavior or could unexpectedly terminate. With this update, proper array handling ensures Wireshark no longer crashes in the described scenario. (BZ#715560)

* Previously, the dftest and randpkt command line utilities lacked manual pages. This update adds proper manual pages for both utilities.
(BZ#659661)

In addition, this update adds the following enhancements :

* With this update, Wireshark is able to properly dissect and handle InfiniBand and GlusterFS traffic. (BZ#699636, BZ#858976)

All Wireshark users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. All running instances of Wireshark must be restarted for the update to take effect.

This update of wireshark includes several security and bug fixes.

  - update to 1.8.8 [bnc#823932]

  + vulnerabilities fixed :

  - The CAPWAP dissector could crash. wnpa-sec-2013-32

  - The GMR-1 BCCH dissector could crash. wnpa-sec-2013-33

  - The PPP dissector could crash. wnpa-sec-2013-34

  - The NBAP dissector could crash. wnpa-sec-2013-35

  - The RDP dissector could crash. wnpa-sec-2013-36

  - The GSM CBCH dissector could crash. wnpa-sec-2013-37

  - The Assa Abloy R3 dissector could consume excessive     memory and CPU. wnpa-sec-2013-38

  - The HTTP dissector could overrun the stack.
    wnpa-sec-2013-39

  - The Ixia IxVeriWave file parser could overflow the heap.
    wnpa-sec-2013-40

  - The DCP ETSI dissector could crash. wnpa-sec-2013-41

  + Further bug fixes and updated protocol support as listed     in:
    https://www.wireshark.org/docs/relnotes/wireshark-1.8.8.
    html

    wnpa-sec-2013-24 CVE-2013-3555 wnpa-sec-2013-25     CVE-2013-3556 CVE-2013-3557 wnpa-sec-2013-26     CVE-2013-3558 wnpa-sec-2013-27 CVE-2013-3559     wnpa-sec-2013-28 CVE-2013-3560 wnpa-sec-2013-29     CVE-2013-3561 CVE-2013-3562 wnpa-sec-2013-30     CVE-2013-3561 wnpa-sec-2013-31 CVE-2013-3561

Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
(CVE-2013-3559, CVE-2013-4083)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2012-2392, CVE-2012-3825, CVE-2012-4285, CVE-2012-4288, CVE-2012-4289, CVE-2012-4290, CVE-2012-4291, CVE-2012-4292, CVE-2012-5595, CVE-2012-5597, CVE-2012-5598, CVE-2012-5599, CVE-2012-5600, CVE-2012-6056, CVE-2012-6059, CVE-2012-6060, CVE-2012-6061, CVE-2012-6062, CVE-2013-3557, CVE-2013-3561, CVE-2013-4081, CVE-2013-4927, CVE-2013-4931, CVE-2013-4932, CVE-2013-4933, CVE-2013-4934, CVE-2013-4935, CVE-2013-4936, CVE-2013-5721)

The wireshark packages have been upgraded to upstream version 1.8.10, which provides a number of bug fixes and enhancements over the previous versions. For more information on the bugs fixed, enhancements included, and supported protocols introduced, refer to the Wireshark Release Notes.

This update also fixes the following bugs :

  - Previously, Wireshark did not parse the RECLAIM-COMPLETE     opcode when inspecting traffic generated by NFSv4.1. A     patch has been provided to enable the parsing of the     RECLAIM_COMPLETE opcode, and Wireshark is now able to     properly dissect and handle NFSv4.1 traffic.

  - Prior to this update, frame arrival times in a text file     were reported one hour ahead from the timestamps in the     packet capture file. This resulted in various failures     being reported by the dfilter-test.py test suite. To fix     this bug, frame arrival timestamps have been shifted by     one hour, thus fixing this bug.

  - The 'tshark -D' command returned output to STDERR     instead of STDOUT, which could break scripts that are     parsing the 'tshark -D' output. This bug has been fixed,     and the 'tshark -D' command now writes output data to a     correct standard stream.

  - Due to an array overrun, Wireshark could experience     undefined program behavior or could unexpectedly     terminate. With this update, proper array handling     ensures Wireshark no longer crashes in the described     scenario.

  - Previously, the dftest and randpkt command line     utilities lacked manual pages. This update adds proper     manual pages for both utilities.

In addition, this update adds the following enhancements :

  - With this update, Wireshark is able to properly dissect     and handle InfiniBand and GlusterFS traffic.

All running instances of Wireshark must be restarted for the update to take effect.

Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
(CVE-2013-3559 , CVE-2013-4083)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2012-2392 , CVE-2012-3825 , CVE-2012-4285 , CVE-2012-4288 , CVE-2012-4289 , CVE-2012-4290 , CVE-2012-4291 , CVE-2012-4292 , CVE-2012-5595 , CVE-2012-5597 , CVE-2012-5598 , CVE-2012-5599 , CVE-2012-5600 , CVE-2012-6056 , CVE-2012-6059 , CVE-2012-6060 , CVE-2012-6061 , CVE-2012-6062 , CVE-2013-3557 , CVE-2013-3561 , CVE-2013-4081 , CVE-2013-4927 , CVE-2013-4931 , CVE-2013-4932 , CVE-2013-4933 , CVE-2013-4934 , CVE-2013-4935 , CVE-2013-4936 , CVE-2013-5721)

From Red Hat Security Advisory 2013:1569 :

Updated wireshark packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Wireshark, previously known as Ethereal, is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network.

Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
(CVE-2013-3559, CVE-2013-4083)

Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2012-2392, CVE-2012-3825, CVE-2012-4285, CVE-2012-4288, CVE-2012-4289, CVE-2012-4290, CVE-2012-4291, CVE-2012-4292, CVE-2012-5595, CVE-2012-5597, CVE-2012-5598, CVE-2012-5599, CVE-2012-5600, CVE-2012-6056, CVE-2012-6059, CVE-2012-6060, CVE-2012-6061, CVE-2012-6062, CVE-2013-3557, CVE-2013-3561, CVE-2013-4081, CVE-2013-4927, CVE-2013-4931, CVE-2013-4932, CVE-2013-4933, CVE-2013-4934, CVE-2013-4935, CVE-2013-4936, CVE-2013-5721)

The wireshark packages have been upgraded to upstream version 1.8.10, which provides a number of bug fixes and enhancements over the previous versions. For more information on the bugs fixed, enhancements included, and supported protocols introduced, refer to the Wireshark Release Notes, linked to in the References. (BZ#711024)

This update also fixes the following bugs :

* Previously, Wireshark did not parse the RECLAIM-COMPLETE opcode when inspecting traffic generated by NFSv4.1. A patch has been provided to enable the parsing of the RECLAIM_COMPLETE opcode, and Wireshark is now able to properly dissect and handle NFSv4.1 traffic. (BZ#750712)

* Prior to this update, frame arrival times in a text file were reported one hour ahead from the timestamps in the packet capture file. This resulted in various failures being reported by the dfilter-test.py test suite. To fix this bug, frame arrival timestamps have been shifted by one hour, thus fixing this bug. (BZ#832021)

* The 'tshark -D' command returned output to STDERR instead of STDOUT, which could break scripts that are parsing the 'tshark -D' output.
This bug has been fixed, and the 'tshark -D' command now writes output data to a correct standard stream. (BZ#1004636)

* Due to an array overrun, Wireshark could experience undefined program behavior or could unexpectedly terminate. With this update, proper array handling ensures Wireshark no longer crashes in the described scenario. (BZ#715560)

* Previously, the dftest and randpkt command line utilities lacked manual pages. This update adds proper manual pages for both utilities.
(BZ#659661)

In addition, this update adds the following enhancements :

* With this update, Wireshark is able to properly dissect and handle InfiniBand and GlusterFS traffic. (BZ#699636, BZ#858976)

All Wireshark users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. All running instances of Wireshark must be restarted for the update to take effect.

The remote host is affected by the vulnerability described in GLSA-201308-05 (Wireshark: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Wireshark. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

This wireshark version update to 1.6.16 includes several security and general bug fixes.

http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html

  - The CAPWAP dissector could crash. Discovered by Laurent     Butti. (CVE-2013-4074)

  - The HTTP dissector could overrun the stack. Discovered     by David Keeler. (CVE-2013-4081)

  - The DCP ETSI dissector could crash. (CVE-2013-4083)     http://www.wireshark.org/docs/relnotes/wireshark-1.6.15.
    html

  - The ASN.1 BER dissector could crash. ( CVE-2013-3556 /     CVE-2013-3557 ) The releases also fix various     non-security issues.

Additionally, a crash in processing SCTP filters has been fixed.
(bug#816887)

This wireshark version update to 1.8.8 includes several security and general bug fixes.

Version update to 1.8.8 [bnc#824900] :

  - vulnerabilities fixed :

  - The CAPWAP dissector could crash. wnpa-sec-2013-32.
    (CVE-2013-4074)

  - The GMR-1 BCCH dissector could crash. wnpa-sec-2013-33.
    (CVE-2013-4075)

  - The PPP dissector could crash. wnpa-sec-2013-34.
    (CVE-2013-4076)

  - The NBAP dissector could crash. wnpa-sec-2013-35.
    (CVE-2013-4077)

  - The RDP dissector could crash. wnpa-sec-2013-36.
    (CVE-2013-4078)

  - The GSM CBCH dissector could crash. wnpa-sec-2013-37.
    (CVE-2013-4079)

  - The Assa Abloy R3 dissector could consume excessive     memory and CPU. wnpa-sec-2013-38. (CVE-2013-4080)

  - The HTTP dissector could overrun the stack.
    wnpa-sec-2013-39. (CVE-2013-4081)

  - The Ixia IxVeriWave file parser could overflow the heap.
    wnpa-sec-2013-40. (CVE-2013-4082)

  - The DCP ETSI dissector could crash. wnpa-sec-2013-41.
    (CVE-2013-4083)

  - Further bug fixes and updated protocol support as listed     in:
    https://www.wireshark.org/docs/relnotes/wireshark-1.8.8.
    html Version update to 1.8.7 [bnc#813217, bnc#820973] :

  - vulnerabilities fixed :

  - The RELOAD dissector could go into an infinite loop.
    wnpa-sec-2013-23. (CVE-2013-2486 / CVE-2013-2487)

  - The GTPv2 dissector could crash. wnpa-sec-2013-24

  - The ASN.1 BER dissector could crash. wnpa-sec-2013-25

  - The PPP CCP dissector could crash. wnpa-sec-2013-26

  - The DCP ETSI dissector could crash. wnpa-sec-2013-27

  - The MPEG DSM-CC dissector could crash. wnpa-sec-2013-28

  - The Websocket dissector could crash. wnpa-sec-2013-29

  - The MySQL dissector could go into an infinite loop.
    wnpa-sec-2013-30

  - The ETCH dissector could go into a large loop.
    wnpa-sec-2013-31

  - Further bug fixes and updated protocol support as listed     in:
    https://www.wireshark.org/docs/relnotes/wireshark-1.8.7.
    html Ohter bug fixes :

  - 'Save As' Nokia libpcap corrupting the file.
    (bnc#816517)

  - wireshark crashed in 'SCTP' -> 'Prepare Filter for this     Association'. (bnc#816887)

The installed version of Wireshark 1.8 is earlier than 1.8.7.  It is, therefore, affected by the following vulnerabilities :

  - Errors exist in the ETCH, MySQL, and RELOAD dissectors     that could lead to an infinite loop, resulting in a     denial of service. (Bugs 8546, 8458, 8464)

  - Errors exist in the ASN.1 BER, DCP ETSI, GTPv2, MPEG     DSM-CC, PPP CCP, and Websocket dissectors that could     allow them to crash. (Bugs  8231, 8448, 8499, 8481,     8493, 8540, 8541, 8599, 8638)

ID	Name	Product	Family	Severity
83596	SUSE SLED10 / SLES10 Security Update : wireshark (SUSE-SU-2013:1276-1)	Nessus	SuSE Local Security Checks	high
80807	Oracle Solaris Third-Party Patch Update : wireshark (multiple_vulnerabilities_in_wireshark5)	Nessus	Solaris Local Security Checks	high
79162	CentOS 6 : wireshark (CESA-2013:1569)	Nessus	CentOS Local Security Checks	high
75058	openSUSE Security Update : wireshark (openSUSE-SU-2013:1084-1)	Nessus	SuSE Local Security Checks	high
71301	Scientific Linux Security Update : wireshark on SL6.x i386/x86_64 (20131121)	Nessus	Scientific Linux Local Security Checks	high
71268	Amazon Linux AMI : wireshark (ALAS-2013-251)	Nessus	Amazon Linux Local Security Checks	high
71105	Oracle Linux 6 : wireshark (ELSA-2013-1569)	Nessus	Oracle Linux Local Security Checks	high
71005	RHEL 6 : wireshark (RHSA-2013:1569)	Nessus	Red Hat Local Security Checks	high
69500	GLSA-201308-05 : Wireshark: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69169	SuSE 10 Security Update : wireshark (ZYPP Patch Number 8659)	Nessus	SuSE Local Security Checks	high
69091	SuSE 11.2 / 11.3 Security Update : wireshark (SAT Patch Numbers 8044 / 8045)	Nessus	SuSE Local Security Checks	high
66544	Wireshark 1.8.x < 1.8.7 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2013-3561

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high