Bug 199958 - net-analyzer/wireshark < 0.99.7 Multiple vulnerabilities (CVE-2007-{6111,6112,6113,6114,6115,6116,6117,6118,6119,6120,6121,6438,6439,6441,6450,6451})
|
Bug#:
199958
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: lars@chaotika.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/27777/
|
|
Summary: net-analyzer/wireshark < 0.99.7 Multiple vulnerabilities (CVE-2007-{6111,6112,6113,6114,6115,6116,6117,6118,6119,6120,6121,6438,6439,6441,6450,6451})
|
|
Keywords:
|
|
Status Whiteboard: B1 [glsa]
|
|
Opened: 2007-11-22 09:44 0000
|
Some vulnerabilities have been reported in Wireshark, which can be exploited by
malicious people to cause a DoS (Denial of Service).
The vulnerabilities are caused due to various errors (e.g. large loops with
extreme memory consumption, endless loops, crashes, and buffer overflows)
within the following:
* SSL, ANSI MAP, Firebird/Interbase, NCP, HTTP, MEGACO, DCP ETSI, PPP, and
Bluetooth SDP dissectors
* when processing a malformed MP3 or iSeries (OS/400) Communication trace file
* when processing a malformed DNP or RPC Portmap packet
These can be exploited to crash Wireshark or consume large amounts of system
resources by e.g. parsing a specially crafted packet that is either captured
off the wire or loaded via a capture file.
The vulnerabilities are reported in various versions from 0.8.16 through
0.99.6. Other versions may also be affected.
Solution:
Update to version 0.99.7.
Provided and/or discovered by:
Stefan Esser (SSL dissector)
Beyond Security (DNP packet)
Fabiodds (iSeries (OS/400) Communication trace file)
Peter Leeming (ANSI MAP)
Steve (Firebird/Interbase)
ainsley (RPC Portmap)
Original Advisory:
http://www.wireshark.org/security/wnpa-sec-2007-03.html
Reproducible: Always
maintainers - please provide an updated ebuild
Upgrading to B2 because it might be possible to execute code according to the
CVE entries:
CVE-2007-6111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6111):
Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow
remote attackers to cause a denial of service (crash) via (1) a crafted MP3
file or (2) unspecified vectors to the NCP dissector.
CVE-2007-6112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6112):
Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6
allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via unknown vectors.
CVE-2007-6113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6113):
Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to
cause a denial of service (long loop) via a malformed DNP packet.
CVE-2007-6114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6114):
Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through
0.99.6 allow remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries
(OS/400) Communication trace file parser.
CVE-2007-6115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6115):
Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal)
0.99.5 to 0.99.6, when running on unspecified platforms, allows remote
attackers to cause a denial of service and possibly execute arbitrary code
via unknown vectors.
CVE-2007-6116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6116):
The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6
allows remote attackers to cause a denial of service (infinite loop or crash)
via unknown vectors.
CVE-2007-6117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6117):
Unspecified vulnerability in the HTTP dissector for Wireshark (formerly
Ethereal) 0.10.14 to 0.99.6 has unknown impact and remote attack vectors
related to chunked messages.
CVE-2007-6118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6118):
The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows
remote attackers to cause a denial of service (long loop and resource
consumption) via unknown vectors.
CVE-2007-6119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6119):
The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote
attackers to cause a denial of service (long loop and resource consumption)
via unknown vectors.
CVE-2007-6120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6120):
The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6
allows remote attackers to cause a denial of service (infinite loop) via
unknown vectors.
CVE-2007-6121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6121):
Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to
cause a denial of service (crash) via a malformed RPC Portmap packet.
Upgrading again since these flaws might allow root compromise.
Peter, please have a look at the new packaging options described in section "3.
Privileges" here:
http://anonsvn.wireshark.org/wireshark/trunk/doc/README.packaging
It allows to install some components of wireshark (TShark and dumpcap) setuid
root, so the dissector part of wireshark is not run with root privileges.
Upstream encourages packages to enable this feature, but make the files only
executable by a certain unix group.
Would that be an option we could introduce with the new wireshark release's
ebuild?
Wireshark 0.99.7 was finally released.
Peter, thanks for taking note of the new setuid feature. However, it is
important that do not install that file the way wireshark leaves it (setuid
root), because that way every user on the system can execute it and sniff
packets, which usually is a huge security leak.
In order to use the setuid feature, the best way to go is to set the setuid
files o-x, bug g+x and change the group to "wireshark" -- that group then
contains all users trusted to sniff packets. Or use another net analyzer group
if available.
Robert, thank you again. Of course its better to allow only trusted users sniff
the traffic. New version with some cleanups and your suggestions is in portage.
Seems you missed to add a file. Not ready for stable testing :-)
I was 5 seconds earlier. The bug 202866 is fixed :)
Additional issues already covered by 0.99.7
CVE-2007-6451
Unspecified vulnerability in the CIP dissector in Wireshark
(formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers
to cause a denial of service (crash) via unknown vectors
that trigger allocation of large amounts of memory.
CVE-2007-6450
The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to
0.99.6 allows remote attackers to cause a denial of service
(infinite loop) via unknown vectors.
CVE-2007-6441
The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6
allows remote attackers to cause a denial of service (crash)
via unknown vectors related to "unaligned access on some
platforms."
CVE-2007-6439
Wireshark (formerly Ethereal) 0.99.6 allows remote attackers
to cause a denial of service (infinite or large loop) via
the (1) IPv6 or (2) USB dissector, which can trigger
resource consumption or a crash. NOTE: this identifier
originally included Firebird/Interbase, but it is already
covered by CVE-2007-6116. The DCP ETSI issue is already
covered by CVE-2007-6119.
CVE-2007-6438
Unspecified vulnerability in the SMB dissector in Wireshark
(formerly Ethereal) 0.99.6 allows remote attackers to cause
a denial of service via unknown vectors. NOTE: this
identifier originally included MP3 and NCP, but those issues
are already covered by CVE-2007-6111.
Peter, your new ebuild looks fine. Thanks a lot for the fast reactions.
Arches, please test and mark stable net-analyzer/wireshark-0.99.7.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
GLSA 200712-23, thank you.
