Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

wnpa-sec-2006-02 · Multiple problems in Wireshark (Ethereal)

Summary

Name: Multiple problems in Wireshark (Ethereal)

Docid: wnpa-sec-2006-02

Date: August 23, 2006

Affected versions: 0.7.9 up to and including 0.99.2

Fixed versions: 0.99.3

Details

Description

Wireshark 0.99.3 fixes the following vulnerabilities:

  • The SCSI dissector could crash. Versions affected: 0.99.2. CVE: CVE-2006-4330
  • If Wireshark was compiled with ESP decryption support, the IPsec ESP preference parser was susceptible to off-by-one errors. Versions affected: 0.99.2. CVE: CVE-2006-4331
  • The DHCP dissector (and possibly others) in the Windows version of Wireshark could trigger a bug in Glib and crash. Versions affected: 0.10.13 - 0.99.2. CVE: CVE-2006-4332
  • If the SSCOP dissector has a port range configured and the SSCOP payload protocol is Q.2931, a malformed packet could make the Q.2931 dissector use up available memory. No port range is configured by default. Versions affected: 0.7.9 - 0.99.2. CVE: CVE-2006-4333

Impact

It may be possible to make Wireshark or Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Resolution

Upgrade to Wireshark 0.99.3.

If are running Wireshark 0.99.2 or Ethereal 0.99.0 or earlier and cannot upgrade, you can work around each of the problems listed above by doing the following:

  • Disable the SCSI and Q.2931 dissectors. If you're running Wireshark under Windows, disable the DHCP dissector.
    • Select Analyze→Enabled Protocols... from the menu.
    • Make sure "SCSI", "Q.2931", and "BOOTP/DHCP" (if needed) are un-checked.
    • Click "Save", then click "OK".
  • If your copy of Wireshark has ESP decryption compiled in, make sure it's disabled.
    • Select Edit→Preferences, then Protocols→ESP from the menu.
    • Make sure "Attempt to detect/decode encrypted ESP payloads" is un-checked.