Name: Multiple problems in Ethereal versions 0.7.7 to 0.10.12

Docid: enpa-sa-00021

Date: October 19, 2005

Versions affected: 0.7.7 up to and including 0.10.12

Severity: High

Description:

Our testing program has turned up several more security issues:

• The ISAKMP dissector could exhaust system memory Versions affected: 0.10.11 to 0.10.12.
  CVE: CAN-2005-3241
  

• The FC-FCS dissector could exhaust system memory. Versions affected: 0.9.0 to 0.10.12.
  CVE: CAN-2005-3241
  

• The RSVP dissector could exhaust system memory. Versions affected: 0.9.4 to 0.10.12.
  CVE: CAN-2005-3241
  

• The ISIS LSP dissector could exhaust system memory. Versions affected: 0.8.18 to 0.10.12.
  CVE: CAN-2005-3241
  

• The IrDA dissector could crash. Versions affected: 0.10.0 to 0.10.12.
  CVE: CAN-2005-3242
  

• The SLIMP3 dissector could overflow a buffer. Versions affected: 0.9.1 to 0.10.12.
  CVE: CAN-2005-3243
  

• The BER dissector was susceptible to an infinite loop. Versions affected: 0.10.3 to 0.10.12.
  CVE: CAN-2005-3244
  

• The SCSI dissector could dereference a null pointer and crash. Versions affected: 0.10.3 to 0.10.12.
  CVE: CAN-2005-3246
  

• If the "Dissect unknown RPC program numbers" option was enabled, the ONC RPC dissector might be able to exhaust system memory. This option is disabled by default. Versions affected: 0.7.7 to 0.10.12.
  CVE: CAN-2005-3245
  

• The sFlow dissector could dereference a null pointer and crash. Versions affected: 0.9.14 to 0.10.12.
  CVE: CAN-2005-3246
  

• The RTnet dissector could dereference a null pointer and crash. Versions affected: 0.10.8 to 0.10.12.
  CVE: CAN-2005-3246
  

• The SigComp UDVM could go into an infinite loop or crash. Versions affected: 0.10.12.
  CVE: CAN-2005-3247
  

• If SMB transaction payload reassembly is enabled the SMB dissector could crash. This preference is disabled by default. Versions affected: 0.9.7 to 0.10.12.
  CVE: CAN-2005-3242
  

• The X11 dissector could attempt to divide by zero. Versions affected: 0.10.1 to 0.10.12.
  CVE: CAN-2005-3248
  

• The AgentX dissector could overflow a buffer. Versions affected: 0.10.10 to 0.10.12.
  CVE: CAN-2005-3243
  

• The WSP dissector could free an invalid pointer. Versions affected: 0.10.1 to 0.10.12.
  CVE: CAN-2005-3249
  

• iDEFENSE found a buffer overflow in the SRVLOC dissector. Versions affected: 0.10.0 to 0.10.12.
  CVE: CAN-2005-3184
  

Impact:

It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Resolution:

Upgrade to 0.10.13. Due to the severity and scope of the defects that have been discovered, no workaround is available.