Friday, October 24, 2008

Wireshark Multiple Vulnerabilities

Wireshark (http://www.wireshark.org/) is the most popular network protocol analyzer (aka "sniffer").

A memory corruption vulnerability exists in Wireshark, potentially allowing a remote attacker to compromise targeted systems by sending them specially crafted "live" network traffic or malicious network trace files (pcap files).

Multiple denial of service vulnerabilities also exist in Wireshark, allowing a remote attacker to crash targeted systems upon sniffing network traffic or viewing network trace files (pcap files).

Impact:

Full compromise of the targeted system.

Risk:

High

Affected Software:

Wireshark version older than 1.0.4

Additional Information:

The Bluetooth HCI memory corruption vulnerability lies in the BTHCI packet dissector and is caused by insufficient checking of packet parameters. This issue occurs either when Wireshark is configured to sniff Bluetooth traffic (with an USB dongle for example) and sent "live" malicious traffic, or upon opening a crafted Bluetooth HCI encapsulation format traffic file.

The Parallel Redundancy Protocol post-dissector (not enabled by default) is vulnerable to a denial of service when handling specially crafted Ethernet frames; the issue is caused by a missing exception handling.

The USB URB denial of service vulnerability lies in the USB packet dissector, where insufficient checking of packet parameters is performed; the vulnerability is present only when Wireshark is configured to sniff packets from USB ports or opens a crafted USB traffic pcap file.

The two denial of service conditions above may be used by an attacker as a Cyber Counter-Measures tool, in order to render the network surveillance systems "blind" before engaging in further deleterious action.

Solutions:

Upgrade to latest version available from http://www.wireshark.org/download.html.

Do not open pcap traffic files received from unknown source.

References:

Wireshark advisory is available at http://www.wireshark.org/security/wnpa-sec-2008-06.html

Bluetooth HCI memory corruption

Parallel Redundancy Protocol denial of service

USB URB dissector denial of service

Acknowledgment:

David Maciejak of Fortinet's FortiGuard Global Security Research Team

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.

No comments:

Post a Comment

 
Free counter and web stats