Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         bro -- Unsafe integer conversions can cause unintentional
                         code paths to be executed
                                4 June 2019


        AusCERT Security Bulletin Summary

Product:           bro
Publisher:         FreeBSD
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12175 CVE-2017-12175 

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

bro -- Unsafe integer conversions can cause unintentional code paths to be

Affected packages
  bro   < 2.6.2


VuXML ID  177fa455-48fc-4ded-ba1b-9975caa7f62a
Discovery 2019-05-29
Entry     2019-05-31

Jon Siwek of Corelight reports:

    The following Denial of Service vulnerabilities are addressed:

      - Integer type mismatches in BinPAC-generated parser code and Bro
        analyzer code may allow for crafted packet data to cause unintentional
        code paths in the analysis logic to be taken due to unsafe integer
        conversions causing the parser and analysis logic to each expect
        different fields to have been parsed. One such example, reported by
        Maksim Shudrak, causes the Kerberos analyzer to dereference a null
        pointer. CVE-2019-12175 was assigned for this issue.
      - The Kerberos parser allows for several fields to be left uninitialized,
        but they were not marked with an &optional attribute and several usages
        lacked existence checks. Crafted packet data could potentially cause an
        attempt to access such uninitialized fields, generate a runtime error/
        exception, and leak memory. Existence checks and &optional attributes
        have been added to the relevent Kerberos fields.
      - BinPAC-generated protocol parsers commonly contain fields whose length
        is derived from other packet input, and for those that allow for
        incremental parsing, BinPAC did not impose a limit on how large such a
        field could grow, allowing for remotely-controlled packet data to cause
        growth of BinPAC's flowbuffer bounded only by the numeric limit of an
        unsigned 64-bit integer, leading to memory exhaustion. There is now a
        generalized limit for how large flowbuffers are allowed to grow,
        tunable by setting "BinPAC::flowbuffer_capacity_max".


CVE Name CVE-2017-12175

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967