KLA10730 Denial of service vulnerabilities in Wireshark

Multiple serious vulnerabilities have been found in Wireshark. Malicious users can exploit these vulnerabilities to cause denial of service.

Below is a complete list of vulnerabilities

1. Improper data validation and lack of restrictions can be exploited remotely via a specially designed packet or file;
2. Improper memory access can be exploited remotely via a specially designed packet or file;
3. Improper functions usage can be exploited remotely via a specially designed packet;
4. Improper feature maintenance can be exploited remotely via a specially designed packet.

Technical details

Vulnerabilities (1) related to multiple reasons listed below:

dissect_CPMSetBindings function in epan/dissectors/packet-mswsp.c at the MS-WSP dissector does not validate column size.

dissect_tds7_colmetadata_token function in epan/dissectors/packet-tds.c at the TDS dissector does not validate the number of columns.

s7comm_decode_ud_cpu_szl_subfunc function in epan/dissectors/packet-s7comm_szl_ids.c at the S7COMM dissector does not validate the list count in an SZL response.

mp2t_open function in wiretap/mp2t.c at the MP2T file parser does not validate the bit rate.

dissect_nwp function in epan/dissectors/packet-nwp.c at the NWP dissector mishandles the packet type.

ngsniffer_process_record function in wiretap/ngsniffer.c at the Sniffer file parser does not validate the relationships between record lengths and record header lengths.

dissect_zcl_pwr_prof_pwrprofstatersp function in epan/dissectors/packet-zbee-zcl-general.c at the ZigBee ZCL dissector does not validate the Total Profile Number field.

dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c at the RSL dissector does not reject unknown TLV types.

epan/dissectors/packet-nbap.c at the NBAP dissector does not validate the number of items.

ascend_seek function in wiretap/ascendtext.c at the Ascend file parser does not ensure the presence of a ‘ ’ character at the end of a date string.

wiretap/vwr.c at the VeriWave file parser does not validate certain signature and Modulation and Coding Scheme (MCS) data.

dissect_diameter_base_framed_ipv6_prefix function in epan/dissectors/packet-diameter.c at the DIAMETER dissector does not validate the IPv6 prefix length.

AirPDcapDecryptWPABroadcastKey function in epan/crypt/airpdcap.c at the 802.11 dissector does not verify the WPA broadcast key length.

AirPDcapPacketProcess function in epan/crypt/airpdcap.c at the 802.11 dissector does not validate the relationship between the total length and the capture length.

epan/dissectors/packet-sctp.c at the SCTP dissector does not validate the frame pointer.

dissect_ber_GeneralizedTime function in epan/dissectors/packet-ber.c at the BER dissector improperly checks an sscanf return value.

dissect_sdp function in epan/dissectors/packet-sdp.c at the SDP dissector does not prevent use of a negative media count.

init_t38_info_conv function in epan/dissectors/packet-t38.c at the T.38 dissector does not ensure that a conversation exists.

epan/dissectors/packet-alljoyn.c at the AllJoyn dissector does not check for empty arguments.

Vulnerabilities (2) related to multiple reasons listed below:

dissect_ppi function in epan/dissectors/packet-ppi.c at the PPI dissector does not initialize a packet-header data structure.

ipmi_fmt_udpport function in epan/dissectors/packet-ipmi.c at the IPMI dissector improperly attempts to access a packet scope.

mp2t_find_next_pcr function in wiretap/mp2t.c at the MP2T file parser does not reserve memory for a trailer.

get_value function in epan/dissectors/packet-btatt.c at the Bluetooth Attribute (aka BT ATT) dissector uses an incorrect integer data type.

Buffer overflow in the tvb_uncompress function in epan/tvbuff_zlib.c can be triggered via packet with zlib compression.

Double free vulnerability in epan/dissectors/packet-nlm.c at the NLM dissector can be triggered when the “Match MSG/RES packets for async NLM” option is enabled.

dissect_dcom_OBJREF function in epan/dissectors/packet-dcom.c at the DCOM dissector does not initialize a certain IPv4 data structure.

epan/dissectors/packet-umts_fp.c at the UMTS FP dissector does not properly reserve memory for channel ID mappings.

Vulnerabilities (3) related to multiple reasons listed below:

The Mobile Identity parser in epan/dissectors/packet-ansi_a.c at the ANSI A dissector and epan/dissectors/packet-gsm_a_common.c at the GSM A dissector improperly uses the tvb_bcd_dig_to_wmem_packet_str function.

dissect_dns_answer function in epan/dissectors/packet-dns.c at the DNS dissector mishandles the EDNS0 Client Subnet option.

Vulnerability (4) related to dissect_rsvp_common function in epan/dissectors/packet-rsvp.c at the RSVP dissector which does not properly maintain request-key data.

Original advisories

Wireshark adviosries list

Related products

Wireshark

CVE list

CVE-2015-8727 warning

CVE-2015-8719 warning

CVE-2015-8720 warning

CVE-2015-8717 warning

CVE-2015-8718 warning

CVE-2015-8723 warning

CVE-2015-8724 warning

CVE-2015-8721 warning

CVE-2015-8722 warning

CVE-2015-8715 warning

CVE-2015-8716 warning

CVE-2015-8735 warning

CVE-2015-8736 warning

CVE-2015-8737 warning

CVE-2015-8738 warning

CVE-2015-8739 warning

CVE-2015-8740 warning

CVE-2015-8741 warning

CVE-2015-8742 warning

CVE-2015-8726 warning

CVE-2015-8725 warning

CVE-2015-8730 warning

CVE-2015-8729 warning

CVE-2015-8728 warning

CVE-2015-8713 warning

CVE-2015-8734 warning

CVE-2015-8733 warning

CVE-2015-8732 warning

CVE-2015-8731 warning

CVE-2015-8714 warning

Solution

Update to the latest version

Download Wireshark

Impacts

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

• Wireshark 1.12 versions earlier than 1.12.9Wireshark 2.0 versions earlier than 2.0.1