Synopsis
An application installed on the remote Windows host is affected by multiple denial of service vulnerabilities.
Description
The version of Wireshark installed on the remote Windows host is 2.0.x prior to 2.0.13 or 2.2.x prior to 2.2.7. It is, therefore, affected by multiple denial of service vulnerabilities :
- A NULL pointer dereference flaw exists in the dissect_msnip() function within file epan/dissectors/packet-msnip.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition. (CVE-2017-9343)
- A divide-by-zero error exists in the dissect_connparamrequest() function within file epan/dissectors/packet-btl2cap.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition. (CVE-2017-9344)
- An infinite loop condition exists in the expand_dns_name() function within file epan/dissectors/packet-dns.c when handling packets or packet trace files. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to consume excessive CPU resources, resulting in a denial of service condition.
(CVE-2017-9345)
- An infinite loop condition exists in the dissect_slsk_pdu() function within file epan/dissectors/packet-slsk.c when handling packets or packet trace files. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to consume excessive CPU resources, resulting in a denial of service condition.
(CVE-2017-9346)
- A NULL pointer dereference flaw exists in the ros_try_string() function within file epan/dissectors/asn1/ros/packet-ros-template.c due to improper validation of user-supplied input passed as an OID string. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition. This issue only affects version 2.2.x. (CVE-2017-9347)
- An out-of-bounds read error exists in the OALMarshal_UncompressValue() function within file epan/dissectors/packet-dof.c when handling Distributed Object Framework (DOF) packets. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition. This issue only affects version 2.2.x. (CVE-2017-9348)
- An infinite loop condition exists in the dissect_dcm_pdu_data() function within file epan/dissectors/packet-dcm.c when handling packets or packet trace files. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to consume excessive CPU resources, resulting in a denial of service condition.
(CVE-2017-9349)
- A memory allocation issue exists in the dissect_opensafety_ssdo_message() function within file epan/dissectors/packet-opensafety.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition. (CVE-2017-9350)
- An out-of-bounds read error exists in the bootp_option() function within file epan/dissectors/packet-bootp.c when handling vendor class identifier strings in bootp packets due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition.
(CVE-2017-9351)
- An infinite loop condition exists in the get_bzr_pdu_len() function within file epan/dissectors/packet-bzr.c when handling packets or packet trace files. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to consume excessive CPU resources, resulting in a denial of service condition.
(CVE-2017-9352)
- A NULL pointer dereference flaw exists in the dissect_routing6_rpl() function within file epan/dissectors/packet-ipv6.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition. This issue only affects version 2.2.x. (CVE-2017-9353)
- A NULL pointer dereference flaw exists in the dissect_rgmp() function within file epan/dissectors/packet-rgmp.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a denial of service condition. (CVE-2017-9354)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Wireshark version 2.0.13 / 2.2.7 or later.
Plugin Details
File Name: wireshark_2_2_7.nasl
Agent: windows
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:wireshark:wireshark
Required KB Items: installed_sw/Wireshark, SMB/Registry/Enumerated
Exploit Ease: Exploits are available
Patch Publication Date: 6/1/2017
Vulnerability Publication Date: 4/22/2017
Reference Information
CVE: CVE-2017-9343, CVE-2017-9344, CVE-2017-9345, CVE-2017-9346, CVE-2017-9347, CVE-2017-9348, CVE-2017-9349, CVE-2017-9350, CVE-2017-9351, CVE-2017-9352, CVE-2017-9353, CVE-2017-9354
BID: 98796, 98797, 98798, 98799, 98800, 98801, 98802, 98803, 98804, 98805, 98806, 98808