KLA10763 Multiple vulnerabilities in Wireshark

Multiple serious vulnerabilities have been found in Wireshark. Malicious users can exploit these vulnerabilities to cause denial of service or gain privileges.

Below is a complete list of vulnerabilities

1. Multiple vulnerabilities in LLRP, RSL, LBMC, HiQnet, HTTP/2, X.509AF, DNP3 and ASN.1 BER dissectors can be exploited remotely via a specially designed packet;
2. Multiple vulnerabilities in iSeries and 3GPP TS 32.423 Trace file parsers can be exploited remotely via a specially designed file;
3. Untrusted path vulnerability can be exploited locally via DLL hijack. (Windows)

Technical details

Vulnerability (1) related to multiple different vulnerabilities listed below:

1. dissect_llrp_parameters function in epan/dissectors/packet-llrp.c in the LLRP dissector does not limit recursion depth;
2. Off-by-one error in epan/dissectors/packet-rsl.c in the RSL dissector which can be triggered via packet with 0xFF tag value;
3. dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector mishandles unrecognized TLV type;
4. issect_nhdr_extopt function in epan/dissectors/packet-lbmc.c in the LBMC dissector does not validate length values;
5. epan/dissectors/packet-hiqnet.c in the HiQnet dissector does not validate data type;
6. epan/dissectors/packet-http2.c in the HTTP/2 dissector does not limit the amount of header data;
7. epan/dissectors/packet-x509af.c in the X.509AF dissector mishandles the algorithm ID;
8. An unknown vulnerability related to dnp3_al_process_object function in epan/dissectors/packet-dnp.c in the DNP3 dissector;
9. dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector.

Vulnerability (2) related to multiple vulnerabilities listed below:

iseries_check_file_type function in wiretap/iseries.c in the iSeries file parser does not consider that a line may lack the “OBJECT PROTOCOL” substring;
wiretap/nettrace_3gpp_32_423.c in the 3GPP TS 32.423 Trace file parser does not ensure that a ‘ ’ character is present at the end of certain strings.

Vulnerability (3) related to the WiresharkApplication class in ui/qt/wireshark_application.cpp and can be triggered via a Trojan horse riched20.dll.dll in the current working directory, related to use of QLibrary.

Original advisories

Related products

Wireshark

CVE list

CVE-2016-2530 warning

CVE-2016-2521 high

CVE-2016-2531 warning

CVE-2016-2532 warning

CVE-2016-2528 warning

CVE-2016-2529 warning

CVE-2016-2526 warning

CVE-2016-2527 warning

CVE-2016-2524 warning

CVE-2016-2525 warning

CVE-2016-2522 warning

CVE-2016-2523 high

Solution

Update to the latest version

Get Wireshark

Impacts

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Affected Products

• Wireshark 1.12 versions earlier than 1.12.10Wireshark 2.0 versions earlier than 2.0.2