Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2249.2
sol15868: Multiple Wireshark vulnerabilities
4 May 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4936 CVE-2013-4935 CVE-2013-4934
CVE-2013-4933 CVE-2013-4932 CVE-2013-4931
CVE-2013-4930 CVE-2013-4929 CVE-2013-4928
CVE-2013-4927 CVE-2013-4926 CVE-2013-4925
CVE-2013-4924 CVE-2013-4923 CVE-2013-4922
CVE-2013-4921 CVE-2013-4920 CVE-2013-4083
CVE-2013-4082 CVE-2013-4081 CVE-2013-4080
CVE-2013-4079 CVE-2013-4078 CVE-2013-4077
CVE-2013-4076 CVE-2013-4075 CVE-2013-4074
Reference: ESB-2013.1072
ESB-2013.1026
ESB-2013.0844
Original Bulletin:
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15868.html
Revision History: May 4 2015: Updated information for vulnerable products
November 28 2014: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
SOL15868: Multiple Wireshark vulnerabilities
Security Advisory
Original Publication Date: 11/27/2014
Updated Date: 04/29/2015
Description
Following are the descriptions of various Wireshark vulnerabilities:
CVE-2013-4074
The dissect_capwap_data function in epan/dissectors/packet-capwap.c in the
CAPWAP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8
incorrectly uses a -1 data value to represent an error condition, which allows
remote attackers to cause a denial of service (application crash) via a
crafted packet.
CVE-2013-4075
epan/dissectors/packet-gmr1_bcch.c in the GMR-1 BCCH dissector in Wireshark
1.8.x before 1.8.8 does not properly initialize memory, which allows remote
attackers to cause a denial of service (application crash) via a crafted
packet.
CVE-2013-4076
Buffer overflow in the dissect_iphc_crtp_fh function in
epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x before
1.8.8 allows remote attackers to cause a denial of service (application crash)
via a crafted packet.
CVE-2013-4077
Array index error in the NBAP dissector in Wireshark 1.8.x before 1.8.8 allows
remote attackers to cause a denial of service (application crash) via a
crafted packet, related to nbap.cnf and packet-nbap.c.
CVE-2013-4078
epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x before
1.8.8 does not validate return values during checks for data availability,
which allows remote attackers to cause a denial of service (application crash)
via a crafted packet.
CVE-2013-4079
The dissect_schedule_message function in epan/dissectors/packet-gsm_cbch.c in
the GSM CBCH dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers
to cause a denial of service (infinite loop and application hang) via a
crafted packet.
CVE-2013-4080
The dissect_r3_upstreamcommand_queryconfig function in
epan/dissectors/packet-assa_r3.c in the Assa Abloy R3 dissector in Wireshark
1.8.x before 1.8.8 does not properly handle a zero-length item, which allows
remote attackers to cause a denial of service (infinite loop, and CPU and
memory consumption) via a crafted packet.
CVE-2013-4081
The http_payload_subdissector function in epan/dissectors/packet-http.c in the
HTTP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8 does
not properly determine when to use a recursive approach, which allows remote
attackers to cause a denial of service (stack consumption) via a crafted
packet.
CVE-2013-4082
The vwr_read function in wiretap/vwr.c in the Ixia IxVeriWave file parser in
Wireshark 1.8.x before 1.8.8 does not validate the relationship between a
record length and a trailer length, which allows remote attackers to cause a
denial of service (heap-based buffer overflow and application crash) via a
crafted packet.
CVE-2013-4083
The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the DCP ETSI
dissector in Wireshark 1.6.x before 1.6.16, 1.8.x before 1.8.8, and 1.10.0
does not validate a certain fragment length value, which allows remote
attackers to cause a denial of service (application crash) via a crafted
packet.
CVE-2013-4920
The P1 dissector in Wireshark 1.10.x before 1.10.1 does not properly
initialize a global variable, which allows remote attackers to cause a denial
of service (application crash) via a crafted packet.
CVE-2013-4921
Off-by-one error in the dissect_radiotap function in
epan/dissectors/packet-ieee80211-radiotap.c in the Radiotap dissector in
Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of
service (application crash) via a crafted packet.
CVE-2013-4922
Double free vulnerability in the dissect_dcom_ActivationProperties function in
epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in
Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of
service (application crash) via a crafted packet.
CVE-2013-4923
Memory leak in the dissect_dcom_ActivationProperties function in
epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in
Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of
service (memory consumption) via crafted packets.
CVE-2013-4924
epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in
Wireshark 1.10.x before 1.10.1 does not properly validate certain index
values, which allows remote attackers to cause a denial of service (assertion
failure and application exit) via a crafted packet.
CVE-2013-4925
Integer signedness error in epan/dissectors/packet-dcom-sysact.c in the DCOM
ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows remote
attackers to cause a denial of service (assertion failure and daemon exit) via
a crafted packet.
CVE-2013-4926
epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in
Wireshark 1.10.x before 1.10.1 does not properly determine whether there is
remaining packet data to process, which allows remote attackers to cause a
denial of service (application crash) via a crafted packet.
CVE-2013-4927
Integer signedness error in the get_type_length function in
epan/dissectors/packet-btsdp.c in the Bluetooth SDP dissector in Wireshark
1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows remote attackers to cause a
denial of service (loop and CPU consumption) via a crafted packet.
CVE-2013-4928
Integer signedness error in the dissect_headers function in
epan/dissectors/packet-btobex.c in the Bluetooth OBEX dissector in Wireshark
1.10.x before 1.10.1 allows remote attackers to cause a denial of service
(infinite loop) via a crafted packet.
CVE-2013-4929
The parseFields function in epan/dissectors/packet-dis-pdus.c in the DIS
dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not
terminate packet-data processing after finding zero remaining bytes, which
allows remote attackers to cause a denial of service (loop) via a crafted
packet.
CVE-2013-4930
The dissect_dvbci_tpdu_hdr function in epan/dissectors/packet-dvbci.c in the
DVB-CI dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does
not validate a certain length value before decrementing it, which allows
remote attackers to cause a denial of service (assertion failure and
application exit) via a crafted packet.
CVE-2013-4931
epan/proto.c in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows
remote attackers to cause a denial of service (loop) via a crafted packet that
is not properly handled by the GSM RR dissector.
CVE-2013-4932
Multiple array index errors in epan/dissectors/packet-gsm_a_common.c in the
GSM A Common dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before
1.10.1 allow remote attackers to cause a denial of service (application crash)
via a crafted packet.
CVE-2013-4933
The netmon_open function in wiretap/netmon.c in the Netmon file parser in
Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not properly
allocate memory, which allows remote attackers to cause a denial of service
(application crash) via a crafted packet-trace file.
CVE-2013-4934
The netmon_open function in wiretap/netmon.c in the Netmon file parser in
Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize
certain structure members, which allows remote attackers to cause a denial of
service (application crash) via a crafted packet-trace file.
CVE-2013-4935
The dissect_per_length_determinant function in epan/dissectors/packet-per.c in
the ASN.1 PER dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before
1.10.1 does not initialize a length field in certain abnormal situations,
which allows remote attackers to cause a denial of service (application crash)
via a crafted packet.
CVE-2013-4936
The IsDFP_Frame function in plugins/profinet/packet-pn-rt.c in the PROFINET
Real-Time dissector in Wireshark 1.10.x before 1.10.1 does not validate MAC
addresses, which allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted packet.
Impact
The vulnerabilities allow Wireshark (tshark) to stop responding when a
malformed packet or a malicious dump file is being read.
Status
F5 Product Development has assigned ID 439062 (BIG-IP), ID 474492 (Enterprise
Manager) and ID 474493 (BIG-IQ) to this vulnerability, and has evaluated the
currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components or
features that are affected by the vulnerability, and for information about
releases or hotfixes that address the vulnerability, refer to the following
table:
Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 11.3.0 - 11.5.2 11.6.0
11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark)
BIG-IP AAM 11.4.0 - 11.5.2 11.6.0 Wireshark (tshark)
BIG-IP AFM 11.3.0 - 11.5.2 11.6.0
11.0.0 - 11.2.1 Wireshark (tshark)
BIG-IP Analytics 11.3.0 - 11.5.2 11.6.0
11.0.0 - 11.2.1 Wireshark (tshark)
BIG-IP APM 11.3.0 - 11.5.2 11.6.0
11.0.0 - 11.2.1
10.1.0 - 10.2.4 Wireshark (tshark)
BIG-IP ASM 11.3.0 - 11.5.2 11.6.0
11.0.0 - 11.2.1
10.0.0 - 10.2.4 Wireshark (tshark)
BIG-IP Edge Gateway 11.3.0 11.0.0 - 11.2.1
10.1.0 - 10.2.4 Wireshark (tshark)
BIG-IP GTM 11.3.0 - 11.5.2 11.6.0
11.0.0 - 11.2.1
10.0.0 - 10.2.4 Wireshark (tshark)
BIG-IP Link Controller 11.3.0 - 11.5.2 11.6.0
11.0.0 - 11.2.1
10.0.0 - 10.2.4 Wireshark (tshark)
BIG-IP PEM 11.3.0 - 11.5.2 11.6.0 Wireshark (tshark)
BIG-IP PSM 11.3.0 - 11.4.1 11.0.0 - 11.2.1
10.0.0 - 10.2.4 Wireshark (tshark)
BIG-IP WebAccelerator 11.3.0 11.0.0 - 11.2.1
10.0.0 - 10.2.4 Wireshark (tshark)
BIG-IP WOM 11.3.0 11.0.0 - 11.2.1
10.0.0 - 10.2.4 Wireshark (tshark)
ARX None 6.0.0 - 6.4.0 None
Enterprise Manager 3.1.0 - 3.1.1 3.0.0
2.1.0 - 2.3.0 None
FirePass None 7.0.0
6.0.0 - 6.1.0 None
BIG-IQ Cloud 4.0.0 - 4.5.0 None Wireshark (tshark)
BIG-IQ Device 4.2.0 - 4.5.0 None Wireshark (tshark)
BIG-IQ Security 4.0.0 - 4.5.0 None Wireshark (tshark)
BIG-IQ ADC 4.5.0 None Wireshark (tshark)
Recommended action
If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the
listed version. If the table does not list any version in the column, then no
upgrade candidate currently exists.
To mitigate this vulnerability, you can use tcpdump utility instead of
Wireshark (tshark). For more information about using tcpdump, refer to SOL411:
Overview of packet tracing with the tcpdump utility
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4602: Overview of the F5 security vulnerability response policy
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL13123: Managing BIG-IP product hotfixes (11.x)
SOL9502: BIG-IP hotfix matrix
SOL15113: BIG-IQ hotfix matrix
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVUcRyRLndAQH1ShLAQIZ2w//RrbUelsNjsPZ2ezt99E9JZjeSY05Jqtg
xGzy2R+lpH+XRU9YHyI8YV1liOG/GxUpdAY6O9cWh2unKngtXeWQs9UMIs9kMs6p
0PZ4N08jZhpa9RCpfKduJPUY/YkuWhs0P/jrI8K3g1Ua5gHY/A8xByJqeggTddUD
lkkppIQkdjYfMzZjc7xabwo0VlW4xrYPd6X3uJdcpg5XDQUrfix/rOKdW4X2p8b4
s8zPhsl7YILOJzetxYl0E4+nsdTvdAQEyobfpdqDc7kdw0lEK3Y7G3do/yL3qIwU
sAQ8Gid3Qy9kZJazs29fW3kKkY+S00rs5bxVyrzMb6LKn6md0SlWs40Y6bMWB1nd
qPGLFSwM/pz+O+IyLYsfEG2oT0AocuM8NP0XgbDZ5HIo0NgyQxOGlIdBuYJme4o9
jJ2Rd3XrUsS9pA8msotpdXUBKuGUAwhdxF5tdtP7WvKQ3ifA3qkmQF2hOzWpEd4h
quOpYrL/j6AIA7PnJWRmpAUS/laYlCCuuI8IVEQeoNjULY2KNaFvSi2WXzvghnZS
Na+yXgyiEBXIAd3DfH1XfhEn7lGVXtmAO0RSQZx2HV+cC20Sdz1MKLWj9KjKBcxt
n49CiUZfGbQR2oDfCvZYPRQCP/wP4OkLJC+J+Hde4eW7IRZBdsrpPxUcZXAUoxyF
Xiovh0BjfVg=
=4dCh
-----END PGP SIGNATURE-----