Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0016.2
Multiple vulnerabilities have been identified in Wireshark
2 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Wireshark
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2532 CVE-2016-2530 CVE-2016-2529
CVE-2016-2528 CVE-2016-2527 CVE-2016-2526
CVE-2016-2525 CVE-2016-2524 CVE-2016-2523
CVE-2016-2522 CVE-2016-2521
Revision History: May 2 2016: Added CVE numbers CVE-2016-4421,
CVE-2016-4420, CVE-2016-4419,
CVE-2016-4418, CVE-2016-4417,
CVE-2016-4416, and CVE-2016-4415
February 29 2016: Initial Release
OVERVIEW
Multiple vulnerabilities have been identified in Wireshark prior to
versions 1.12.10 and 2.0.2. [1-18]
IMPACT
The vendor has provided the following details regarding the
vulnerabilities:
"CVE-2016-2521:
Description
Wireshark is vulnerable to DLL hijacking as described in Microsoft
Security Advisory 2269637. Discovered by Behzad Najjarpour Jabbari,
Secunia Research at Flexera Software.
Impact
It may be possible to make Wireshark to run hostile code by placing
a specially-coded DLL in the same directory as a capture file." [1]
"CVE-2016-2522:
Description
The ASN.1 BER dissector could crash. Discovered by Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [2]
"CVE-2016-2523:
Description
The DNP3 dissector could go into an infinite loop.
Impact
It may be possible to make Wireshark consume excessive CPU resources
by injecting a malformed packet onto the wire or by convincing
someone to read a malformed packet trace file." [3]
"CVE-2016-2524:
Description
The X.509AF dissector could crash.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [4]
"CVE-2016-2525:
Description
The HTTP/2 dissector could crash. Discovered by Noam Mazor.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [5]
"CVE-2016-2526:
Description
The HiQnet dissector could crash. Discovered by Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [6]
"CVE-2016-2527:
Description
The 3GPP TS 32.423 Trace file parser could crash. Discovered by
Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by convincing someone to
read a malformed packet trace file." [7]
"CVE-2016-2528:
Description
The LBMC dissector could crash. Discovered by Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [8]
"CVE-2016-2529:
Description
The iSeries file parser could crash. Discovered by Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by convincing someone to
read a malformed packet trace file." [9]
"CVE-2016-2530:
Description
The RSL dissector could crash. Discovered by Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [10]
"CVE-2016-2532:
Description
The LLRP dissector could crash. Discovered by Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [11]
"CVE-2016-4415:
Description
The IxVeriWave file parser could crash. Discovered by Mateusz
Jurczyk.
Impact
It may be possible to make Wireshark crash by convincing someone to
read a malformed packet trace file." [12]
"CVE-2016-4416:
Description
The IEEE 802.11 dissector could crash. Discovered by Mateusz
Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [13]
"CVE-2016-4417:
Description
The GSM A-bis OML dissector could crash. Discovered by Mateusz
Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [14]
"CVE-2016-4418:
Description
The ASN.1 BER dissector could crash.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [15]
"CVE-2016-4419:
Description
The SPICE dissector could enter a large loop.
Impact
It may be possible to make Wireshark crash or consume excessive CPU
resources by injecting a malformed packet onto the wire or by
convincing someone to read a malformed packet trace file." [16]
"CVE-2016-4420:
Description
The NFS dissector could crash.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [17]
"CVE-2016-4421:
Description
The ASN.1 BER dissector could crash. Discovered by Mateusz Jurczyk.
Impact
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file." [18]
MITIGATION
The vendor recommends upgrading to the latest version of Wireshark
to address these vulnerabilities. [1-18]
REFERENCES
[1] wnpa-sec-2016-01 - DLL hijacking vulnerability in Wireshark
https://www.wireshark.org/security/wnpa-sec-2016-01.html
[2] wnpa-sec-2016-02 - ASN.1 BER dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-02.html
[3] wnpa-sec-2016-03 - DNP3 dissector infinite loop
https://www.wireshark.org/security/wnpa-sec-2016-03.html
[4] wnpa-sec-2016-04 - X.509AF crash
https://www.wireshark.org/security/wnpa-sec-2016-04.html
[5] wnpa-sec-2016-05 - HTTP/2 dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-05.html
[6] wnpa-sec-2016-06 - HiQnet dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-06.html
[7] wnpa-sec-2016-07 - 3GPP TS 32.423 Trace file parser crash
https://www.wireshark.org/security/wnpa-sec-2016-07.html
[8] wnpa-sec-2016-08 - LBMC dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-08.html
[9] wnpa-sec-2016-09 - iSeries file parser crash
https://www.wireshark.org/security/wnpa-sec-2016-09.html
[10] wnpa-sec-2016-10 - RSL dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-10.html
[11] wnpa-sec-2016-11 - LLRP dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-11.html
[12] wnpa-sec-2016-12 - Ixia IxVeriWave file parser crash
https://www.wireshark.org/security/wnpa-sec-2016-12.html
[13] wnpa-sec-2016-13 - IEEE 802.11 dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-13.html
[14] wnpa-sec-2016-14 - GSM A-bis OML dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-14.html
[15] wnpa-sec-2016-15 - ASN.1 BER dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-15.html
[16] wnpa-sec-2016-16 - SPICE dissector large loop
https://www.wireshark.org/security/wnpa-sec-2016-16.html
[17] wnpa-sec-2016-17 - NFS dissector crash
https://www.wireshark.org/security/wnpa-sec-2016-17.html
[18] wnpa-sec-2016-18 - ASN.1 BER dissector crash.
https://www.wireshark.org/security/wnpa-sec-2016-18.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVyajcH6ZAP0PgtI9AQLsixAAgDU33Qhou4o/7oIVgqHcyzQsSxk9nkML
nmc7zrT5aPr9KSFl3aLQXVS8FREjHnRrXVHSUCNzLk6/NtLk0UvwbOXoOKPIRt1z
l5+MnLKFl44UmpxrLZFunyIQ7vp07h8go5tFQEnJDyUsWMoMywcmxqFjbe3avtu5
48sof+FJza0ngw5m8lTYdJyjrN23aB30WZ0rig8Kx/swDbJFtI2x049B8NSMuidS
cCprENfIHQXnncj+qXx+tlRBx23mB5dJnAohU7X+EL1zYEIJXWCwY/PEC/KoQRzB
ebDyGcb4Zcf2Zy68oQUA/KTzuXuA3gDWPE8kISn/OHjvEdisPhbzgIVSuj/TPvaS
hN0JsCP9ZYEi6nrBSr2O8oU36bLxe0O7iUhx7r7/AXokDetKrwTneRps+QOiJ0ie
WR7AoA8eu0DFWyKFBDUnDiybIdhMugcsVonzdBiAzKhudiiPg8UOsU5FMOjy+JbJ
sYqsfrwDBHLSz+yd+dI3TwFYNv4GoTd6Y6O3c4EaSiEEi/xZmzPf8ArA9CnOUjc8
xOa2+DfD+ei08uA66HZJHpht/YH7vHGXg2BaQjOM6kxo5GH2Z5rOyVzE9iW5H+tN
JnQB6uqUezfcaYc53OtyZSFXdVUW7W9ZSXa5y0GF2er+eW9mEYHRfMtOg4HR8mcN
35jzwbrT0c8=
=pRvx
-----END PGP SIGNATURE-----