Summary

Name: Multiple problems in Ethereal versions 0.8.5 to 0.10.11

Docid: enpa-sa-00020

Date: July 26, 2005

Versions affected: 0.8.5 up to and including 0.10.11

Severity: High

Details

Description:

Our testing program has turned up several more security issues:

• The LDAP dissector could free static memory and crash. Versions affected: 0.8.5 to 0.10.11
  
• The AgentX dissector could crash. Versions affected: 0.10.10 to 0.10.11
  
• The 802.3 dissector could go into an infinite loop. Versions affected: 0.8.16 to 0.10.11
  
• The PER dissector could abort. Versions affected: 0.10.5 to 0.10.11
  
• The DHCP dissector could go into an infinite loop. Versions affected: 0.10.7 to 0.10.11
  
• The BER dissector could abort or loop infinitely. Version affected: 0.10.11
  
• The MEGACO dissector could go into an infinite loop. Versions affected: 0.9.14 to 0.10.11
  
• The GIOP dissector could dereference a null pointer. Versions affected: 0.8.20 to 0.10.11
  
• The SMB dissector was susceptible to a buffer overflow. Versions affected: 0.9.12 to 0.10.11
  
• The WBXML could dereference a null pointer. Versions affected: 0.10.1 to 0.10.11
  
• The H1 dissector could go into an infinite loop. Versions affected: 0.8.15 to 0.10.11
  
• The DOCSIS dissector could cause a crash. Versions affected: 0.9.13 to 0.10.11
  
• The SMPP dissector could go into an infinite loop. Versions affected: 0.10.1 to 0.10.11
  
• SCTP graphs could crash. Version affected: 0.10.11
  
• The HTTP dissector could crash. Versions affected: 0.10.4 to 0.10.11
  
• The SMB dissector could go into a large loop. Versions affected: 0.9.0 to 0.10.11
  
• The DCERPC dissector could crash. Versions affected: 0.9.16 to 0.10.11.
• Several dissectors could crash while reassembling packets. Versions affected: 0.9.0 to 0.10.11
  

Steve Grubb at Red Hat found the following issues:

• The CAMEL dissector could dereference a null pointer. Version affected: 0.10.11
  
• The DHCP dissector could crash. Versions affected: 0.10.4 to 0.10.11
  
• The CAMEL dissector could crash. Versions affected: 0.10.10 to 0.10.11
  
• The PER dissector could crash. Versions affected: 0.10.10 to 0.10.11
  
• The RADIUS dissector could crash. Versions affected: 0.9.4 to 0.10.11
  
• The Telnet dissector could crash. Versions affected: 0.9.10 to 0.10.11
  
• The IS-IS LSP dissector could crash. Versions affected: 0.8.19 to 0.10.11
  
• The NCP dissector could crash. Versions affected: 0.9.15 to 0.10.11
  

iDEFENSE found the following issues:

• Several dissectors were susceptible to a format string overflow. Versions affected: 0.9.4 to 0.10.11
  

Ethereal uses the zlib compression library. Security vulnerabilities have been discovered in zlib 1.2.1 and 1.2.2. The Windows installer now ships with zlib 1.2.3, which fixes these vulnerabilities.

Impact:

It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Resolution:

Upgrade to 0.10.12. Due to the severity and scope of the defects that have been discovered, no workaround is available.