copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2016.0016.2 - UPDATE [Win][UNIX/Linux] Wireshark: Multiple vulnerabilities

Date: 02 May 2016
References: ESB-2016.0674  ESB-2016.1601  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2016.0016.2
        Multiple vulnerabilities have been identified in Wireshark
                                2 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Wireshark
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Windows
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2016-2532 CVE-2016-2530 CVE-2016-2529
                  CVE-2016-2528 CVE-2016-2527 CVE-2016-2526
                  CVE-2016-2525 CVE-2016-2524 CVE-2016-2523
                  CVE-2016-2522 CVE-2016-2521 

Revision History: May       2 2016: 	Added CVE numbers CVE-2016-4421, 
					CVE-2016-4420, CVE-2016-4419, 
					CVE-2016-4418, CVE-2016-4417, 
					CVE-2016-4416, and CVE-2016-4415

                  February 29 2016: 	Initial Release

OVERVIEW

        Multiple vulnerabilities have been identified in Wireshark prior to
        versions 1.12.10 and 2.0.2. [1-18]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "CVE-2016-2521:
        
        Description
        
        Wireshark is vulnerable to DLL hijacking as described in Microsoft 
        Security Advisory 2269637. Discovered by Behzad Najjarpour Jabbari,
        Secunia Research at Flexera Software.
        
        Impact
        
        It may be possible to make Wireshark to run hostile code by placing
        a specially-coded DLL in the same directory as a capture file." [1]
        
        "CVE-2016-2522:
        
        Description
        
        The ASN.1 BER dissector could crash. Discovered by Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [2]
        
        "CVE-2016-2523:
        
        Description
        
        The DNP3 dissector could go into an infinite loop.
        
        Impact
        
        It may be possible to make Wireshark consume excessive CPU resources
        by injecting a malformed packet onto the wire or by convincing 
        someone to read a malformed packet trace file." [3]
        
        "CVE-2016-2524:
        
        Description
        
        The X.509AF dissector could crash.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [4]
        
        "CVE-2016-2525:
        
        Description
        
        The HTTP/2 dissector could crash. Discovered by Noam Mazor.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [5]
        
        "CVE-2016-2526:
        
        Description
        
        The HiQnet dissector could crash. Discovered by Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [6]
        
        "CVE-2016-2527:
        
        Description
        
        The 3GPP TS 32.423 Trace file parser could crash. Discovered by 
        Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by convincing someone to
        read a malformed packet trace file." [7]
        
        "CVE-2016-2528:
        
        Description
        
        The LBMC dissector could crash. Discovered by Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [8]
        
        "CVE-2016-2529:
        
        Description
        
        The iSeries file parser could crash. Discovered by Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by convincing someone to
        read a malformed packet trace file." [9]
        
        "CVE-2016-2530:
        
        Description
        
        The RSL dissector could crash. Discovered by Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [10]
        
        "CVE-2016-2532:
        
        Description
        
        The LLRP dissector could crash. Discovered by Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [11]
        
        "CVE-2016-4415:
        
        Description
        
        The IxVeriWave file parser could crash. Discovered by Mateusz 
        Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by convincing someone to
        read a malformed packet trace file." [12]
        
        "CVE-2016-4416:
        
        Description
        
        The IEEE 802.11 dissector could crash. Discovered by Mateusz 
        Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [13]
        
        "CVE-2016-4417:
        
        Description
        
        The GSM A-bis OML dissector could crash. Discovered by Mateusz 
        Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [14]
        
        "CVE-2016-4418:
        
        Description
        
        The ASN.1 BER dissector could crash.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [15]
        
        "CVE-2016-4419:
        
        Description
        
        The SPICE dissector could enter a large loop.
        
        Impact
        
        It may be possible to make Wireshark crash or consume excessive CPU
        resources by injecting a malformed packet onto the wire or by 
        convincing someone to read a malformed packet trace file." [16]
        
        "CVE-2016-4420:
        
        Description
        
        The NFS dissector could crash.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [17]
        
        "CVE-2016-4421:
        
        Description
        
        The ASN.1 BER dissector could crash. Discovered by Mateusz Jurczyk.
        
        Impact
        
        It may be possible to make Wireshark crash by injecting a malformed
        packet onto the wire or by convincing someone to read a malformed 
        packet trace file." [18]


MITIGATION

        The vendor recommends upgrading to the latest version of Wireshark 
        to address these vulnerabilities. [1-18]


REFERENCES

        [1] wnpa-sec-2016-01 - DLL hijacking vulnerability in Wireshark
            https://www.wireshark.org/security/wnpa-sec-2016-01.html

        [2] wnpa-sec-2016-02 - ASN.1 BER dissector crash
            https://www.wireshark.org/security/wnpa-sec-2016-02.html

        [3] wnpa-sec-2016-03 - DNP3 dissector infinite loop
            https://www.wireshark.org/security/wnpa-sec-2016-03.html

        [4] wnpa-sec-2016-04 - X.509AF crash
            https://www.wireshark.org/security/wnpa-sec-2016-04.html

        [5] wnpa-sec-2016-05 - HTTP/2 dissector crash
            https://www.wireshark.org/security/wnpa-sec-2016-05.html

        [6] wnpa-sec-2016-06 - HiQnet dissector crash
            https://www.wireshark.org/security/wnpa-sec-2016-06.html

        [7] wnpa-sec-2016-07 - 3GPP TS 32.423 Trace file parser crash
            https://www.wireshark.org/security/wnpa-sec-2016-07.html

        [8] wnpa-sec-2016-08 - LBMC dissector crash
            https://www.wireshark.org/security/wnpa-sec-2016-08.html

        [9] wnpa-sec-2016-09 - iSeries file parser crash
            https://www.wireshark.org/security/wnpa-sec-2016-09.html

        [10] wnpa-sec-2016-10 - RSL dissector crash
             https://www.wireshark.org/security/wnpa-sec-2016-10.html

        [11] wnpa-sec-2016-11 - LLRP dissector crash
             https://www.wireshark.org/security/wnpa-sec-2016-11.html

        [12] wnpa-sec-2016-12 - Ixia IxVeriWave file parser crash
             https://www.wireshark.org/security/wnpa-sec-2016-12.html

        [13] wnpa-sec-2016-13 - IEEE 802.11 dissector crash
             https://www.wireshark.org/security/wnpa-sec-2016-13.html

        [14] wnpa-sec-2016-14 - GSM A-bis OML dissector crash
             https://www.wireshark.org/security/wnpa-sec-2016-14.html

        [15] wnpa-sec-2016-15 - ASN.1 BER dissector crash
             https://www.wireshark.org/security/wnpa-sec-2016-15.html

        [16] wnpa-sec-2016-16 - SPICE dissector large loop
             https://www.wireshark.org/security/wnpa-sec-2016-16.html

        [17] wnpa-sec-2016-17 - NFS dissector crash
             https://www.wireshark.org/security/wnpa-sec-2016-17.html

        [18] wnpa-sec-2016-18 - ASN.1 BER dissector crash.
             https://www.wireshark.org/security/wnpa-sec-2016-18.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVyajcH6ZAP0PgtI9AQLsixAAgDU33Qhou4o/7oIVgqHcyzQsSxk9nkML
nmc7zrT5aPr9KSFl3aLQXVS8FREjHnRrXVHSUCNzLk6/NtLk0UvwbOXoOKPIRt1z
l5+MnLKFl44UmpxrLZFunyIQ7vp07h8go5tFQEnJDyUsWMoMywcmxqFjbe3avtu5
48sof+FJza0ngw5m8lTYdJyjrN23aB30WZ0rig8Kx/swDbJFtI2x049B8NSMuidS
cCprENfIHQXnncj+qXx+tlRBx23mB5dJnAohU7X+EL1zYEIJXWCwY/PEC/KoQRzB
ebDyGcb4Zcf2Zy68oQUA/KTzuXuA3gDWPE8kISn/OHjvEdisPhbzgIVSuj/TPvaS
hN0JsCP9ZYEi6nrBSr2O8oU36bLxe0O7iUhx7r7/AXokDetKrwTneRps+QOiJ0ie
WR7AoA8eu0DFWyKFBDUnDiybIdhMugcsVonzdBiAzKhudiiPg8UOsU5FMOjy+JbJ
sYqsfrwDBHLSz+yd+dI3TwFYNv4GoTd6Y6O3c4EaSiEEi/xZmzPf8ArA9CnOUjc8
xOa2+DfD+ei08uA66HZJHpht/YH7vHGXg2BaQjOM6kxo5GH2Z5rOyVzE9iW5H+tN
JnQB6uqUezfcaYc53OtyZSFXdVUW7W9ZSXa5y0GF2er+eW9mEYHRfMtOg4HR8mcN
35jzwbrT0c8=
=pRvx
-----END PGP SIGNATURE-----