Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2249.2 sol15868: Multiple Wireshark vulnerabilities 4 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4936 CVE-2013-4935 CVE-2013-4934 CVE-2013-4933 CVE-2013-4932 CVE-2013-4931 CVE-2013-4930 CVE-2013-4929 CVE-2013-4928 CVE-2013-4927 CVE-2013-4926 CVE-2013-4925 CVE-2013-4924 CVE-2013-4923 CVE-2013-4922 CVE-2013-4921 CVE-2013-4920 CVE-2013-4083 CVE-2013-4082 CVE-2013-4081 CVE-2013-4080 CVE-2013-4079 CVE-2013-4078 CVE-2013-4077 CVE-2013-4076 CVE-2013-4075 CVE-2013-4074 Reference: ESB-2013.1072 ESB-2013.1026 ESB-2013.0844 Original Bulletin: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15868.html Revision History: May 4 2015: Updated information for vulnerable products November 28 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- SOL15868: Multiple Wireshark vulnerabilities Security Advisory Original Publication Date: 11/27/2014 Updated Date: 04/29/2015 Description Following are the descriptions of various Wireshark vulnerabilities: CVE-2013-4074 The dissect_capwap_data function in epan/dissectors/packet-capwap.c in the CAPWAP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8 incorrectly uses a -1 data value to represent an error condition, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4075 epan/dissectors/packet-gmr1_bcch.c in the GMR-1 BCCH dissector in Wireshark 1.8.x before 1.8.8 does not properly initialize memory, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4076 Buffer overflow in the dissect_iphc_crtp_fh function in epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4077 Array index error in the NBAP dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to nbap.cnf and packet-nbap.c. CVE-2013-4078 epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x before 1.8.8 does not validate return values during checks for data availability, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4079 The dissect_schedule_message function in epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (infinite loop and application hang) via a crafted packet. CVE-2013-4080 The dissect_r3_upstreamcommand_queryconfig function in epan/dissectors/packet-assa_r3.c in the Assa Abloy R3 dissector in Wireshark 1.8.x before 1.8.8 does not properly handle a zero-length item, which allows remote attackers to cause a denial of service (infinite loop, and CPU and memory consumption) via a crafted packet. CVE-2013-4081 The http_payload_subdissector function in epan/dissectors/packet-http.c in the HTTP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8 does not properly determine when to use a recursive approach, which allows remote attackers to cause a denial of service (stack consumption) via a crafted packet. CVE-2013-4082 The vwr_read function in wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 1.8.x before 1.8.8 does not validate the relationship between a record length and a trailer length, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted packet. CVE-2013-4083 The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.6.x before 1.6.16, 1.8.x before 1.8.8, and 1.10.0 does not validate a certain fragment length value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4920 The P1 dissector in Wireshark 1.10.x before 1.10.1 does not properly initialize a global variable, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4921 Off-by-one error in the dissect_radiotap function in epan/dissectors/packet-ieee80211-radiotap.c in the Radiotap dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4922 Double free vulnerability in the dissect_dcom_ActivationProperties function in epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4923 Memory leak in the dissect_dcom_ActivationProperties function in epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (memory consumption) via crafted packets. CVE-2013-4924 epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 does not properly validate certain index values, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet. CVE-2013-4925 Integer signedness error in epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted packet. CVE-2013-4926 epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 does not properly determine whether there is remaining packet data to process, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4927 Integer signedness error in the get_type_length function in epan/dissectors/packet-btsdp.c in the Bluetooth SDP dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (loop and CPU consumption) via a crafted packet. CVE-2013-4928 Integer signedness error in the dissect_headers function in epan/dissectors/packet-btobex.c in the Bluetooth OBEX dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVE-2013-4929 The parseFields function in epan/dissectors/packet-dis-pdus.c in the DIS dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not terminate packet-data processing after finding zero remaining bytes, which allows remote attackers to cause a denial of service (loop) via a crafted packet. CVE-2013-4930 The dissect_dvbci_tpdu_hdr function in epan/dissectors/packet-dvbci.c in the DVB-CI dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not validate a certain length value before decrementing it, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet. CVE-2013-4931 epan/proto.c in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (loop) via a crafted packet that is not properly handled by the GSM RR dissector. CVE-2013-4932 Multiple array index errors in epan/dissectors/packet-gsm_a_common.c in the GSM A Common dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allow remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4933 The netmon_open function in wiretap/netmon.c in the Netmon file parser in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted packet-trace file. CVE-2013-4934 The netmon_open function in wiretap/netmon.c in the Netmon file parser in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize certain structure members, which allows remote attackers to cause a denial of service (application crash) via a crafted packet-trace file. CVE-2013-4935 The dissect_per_length_determinant function in epan/dissectors/packet-per.c in the ASN.1 PER dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize a length field in certain abnormal situations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2013-4936 The IsDFP_Frame function in plugins/profinet/packet-pn-rt.c in the PROFINET Real-Time dissector in Wireshark 1.10.x before 1.10.1 does not validate MAC addresses, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. Impact The vulnerabilities allow Wireshark (tshark) to stop responding when a malformed packet or a malicious dump file is being read. Status F5 Product Development has assigned ID 439062 (BIG-IP), ID 474492 (Enterprise Manager) and ID 474493 (BIG-IQ) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature BIG-IP LTM 11.3.0 - 11.5.2 11.6.0 11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark) BIG-IP AAM 11.4.0 - 11.5.2 11.6.0 Wireshark (tshark) BIG-IP AFM 11.3.0 - 11.5.2 11.6.0 11.0.0 - 11.2.1 Wireshark (tshark) BIG-IP Analytics 11.3.0 - 11.5.2 11.6.0 11.0.0 - 11.2.1 Wireshark (tshark) BIG-IP APM 11.3.0 - 11.5.2 11.6.0 11.0.0 - 11.2.1 10.1.0 - 10.2.4 Wireshark (tshark) BIG-IP ASM 11.3.0 - 11.5.2 11.6.0 11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark) BIG-IP Edge Gateway 11.3.0 11.0.0 - 11.2.1 10.1.0 - 10.2.4 Wireshark (tshark) BIG-IP GTM 11.3.0 - 11.5.2 11.6.0 11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark) BIG-IP Link Controller 11.3.0 - 11.5.2 11.6.0 11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark) BIG-IP PEM 11.3.0 - 11.5.2 11.6.0 Wireshark (tshark) BIG-IP PSM 11.3.0 - 11.4.1 11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark) BIG-IP WebAccelerator 11.3.0 11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark) BIG-IP WOM 11.3.0 11.0.0 - 11.2.1 10.0.0 - 10.2.4 Wireshark (tshark) ARX None 6.0.0 - 6.4.0 None Enterprise Manager 3.1.0 - 3.1.1 3.0.0 2.1.0 - 2.3.0 None FirePass None 7.0.0 6.0.0 - 6.1.0 None BIG-IQ Cloud 4.0.0 - 4.5.0 None Wireshark (tshark) BIG-IQ Device 4.2.0 - 4.5.0 None Wireshark (tshark) BIG-IQ Security 4.0.0 - 4.5.0 None Wireshark (tshark) BIG-IQ ADC 4.5.0 None Wireshark (tshark) Recommended action If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. To mitigate this vulnerability, you can use tcpdump utility instead of Wireshark (tshark). For more information about using tcpdump, refer to SOL411: Overview of packet tracing with the tcpdump utility Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5 critical issue hotfix policy SOL167: Downloading software and firmware from F5 SOL13123: Managing BIG-IP product hotfixes (11.x) SOL9502: BIG-IP hotfix matrix SOL15113: BIG-IQ hotfix matrix - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVUcRyRLndAQH1ShLAQIZ2w//RrbUelsNjsPZ2ezt99E9JZjeSY05Jqtg xGzy2R+lpH+XRU9YHyI8YV1liOG/GxUpdAY6O9cWh2unKngtXeWQs9UMIs9kMs6p 0PZ4N08jZhpa9RCpfKduJPUY/YkuWhs0P/jrI8K3g1Ua5gHY/A8xByJqeggTddUD lkkppIQkdjYfMzZjc7xabwo0VlW4xrYPd6X3uJdcpg5XDQUrfix/rOKdW4X2p8b4 s8zPhsl7YILOJzetxYl0E4+nsdTvdAQEyobfpdqDc7kdw0lEK3Y7G3do/yL3qIwU sAQ8Gid3Qy9kZJazs29fW3kKkY+S00rs5bxVyrzMb6LKn6md0SlWs40Y6bMWB1nd qPGLFSwM/pz+O+IyLYsfEG2oT0AocuM8NP0XgbDZ5HIo0NgyQxOGlIdBuYJme4o9 jJ2Rd3XrUsS9pA8msotpdXUBKuGUAwhdxF5tdtP7WvKQ3ifA3qkmQF2hOzWpEd4h quOpYrL/j6AIA7PnJWRmpAUS/laYlCCuuI8IVEQeoNjULY2KNaFvSi2WXzvghnZS Na+yXgyiEBXIAd3DfH1XfhEn7lGVXtmAO0RSQZx2HV+cC20Sdz1MKLWj9KjKBcxt n49CiUZfGbQR2oDfCvZYPRQCP/wP4OkLJC+J+Hde4eW7IRZBdsrpPxUcZXAUoxyF Xiovh0BjfVg= =4dCh -----END PGP SIGNATURE-----