Bug 513008 (CVE-2009-2560)

Summary: CVE-2009-2560 Wireshark: various flaws in a) RADIUS, b) Bluetooth L2CAP, c) MIOP dissectors (DoS)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly, mjc, rvokal, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3578
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-20 15:55:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 549581, 549582, 549583, 549584, 561099, 833992    
Bug Blocks:    

Description Jan Lieskovsky 2009-07-21 16:29:51 UTC 
Issue a) NULL pointer dereference in the RADIUS dissector:
----------------------------------------------------------

A NULL pointer dereference flaw was found in the Wireshark's RADIUS
dissector. A remote attacker could provide a specially-crafted RADIUS
packet capture file, which once opened by an unsuspecting user would
lead to denial of service (Wireshark crash).

References:
-----------
http://www.wireshark.org/security/wnpa-sec-2009-04.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3578

Reproducer:
-----------
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3183

Upstream patch:
---------------
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-radius.c?r1=28891&r2=28890&pathrev=28891&view=patch
Comment 2 Jan Lieskovsky 2009-07-21 16:32:08 UTC 
Information about affected Wireshark versions:
----------------------------------------------

  Issue a) NULL pointer dereference in the RADIUS dissector:
  ----------------------------------------------------------

  This issue affects the versions of the wireshark package, as shipped
  with Red Hat Enterprise Linux 3, 4, and 5.

  This issue affects the versions of the Wireshark package, as shipped
  with Fedora releases of 10, 11, and Rawhide.

  Issue b) Integer overflow in the Bluetooth L2CAP dissector:
  -----------------------------------------------------------

  This issue does NOT affect the versions of the wireshark package, as shipped
  with Red Hat Enterprise Linux 3, 4, and 5.

  This issue does NOT affect the version of the wireshark package, as shipped
  with Fedora release of 10.

  This issue affects the versions of the wireshark package, as shipped
  with Fedora releases of 11, and Rawhide.  

  Issue c) Past-the-buffer read in the MIOP dissector:
  ----------------------------------------------------

  This issue does NOT affect the versions of the wireshark package, 
  as shipped with Red Hat Enterprise Linux 3, 4, and 5.

  This issue does NOT affect the version of the wireshark package,
  as shipped with Fedora release of 10.

  This issue affects the versions of the wireshark package, 
  as shipped with Fedora releases of 11 and Rawhide.
Comment 4 Jan Lieskovsky 2009-07-21 19:55:21 UTC 
MITRE's CVE-2009-2560 entry:
---------------------------

Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote
attackers to cause a denial of service (crash) via unspecified vectors
in the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissectors.  NOTE:
the RADIUS dissector vulnerability also affects 1.0.8.

References:
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560
http://www.wireshark.org/security/wnpa-sec-2009-04.html
http://www.securityfocus.com/bid/35748
http://secunia.com/advisories/35884
http://www.vupen.com/english/advisories/2009/1970
Comment 6 Jan Lieskovsky 2009-08-12 09:42:14 UTC 
Issue b) Integer overflow in the Bluetooth L2CAP dissector:
-----------------------------------------------------------

An integer overflow flaw, leading to heap-based buffer overflow was found
in the Wireshark's Bluetooth L2CAP dissector. A remote attacker could
provide a specially-crafted L2CAP packet capture file, which once opened
by an unsuspecting user would lead to denial of service (Wireshark crash).

References:
----------
http://www.wireshark.org/security/wnpa-sec-2009-04.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3572

Reproducer:
----------
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3179

Upstream patch:
---------------
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-btl2cap.c?r1=28884&r2=28883&pathrev=28884&view=patch
Comment 7 Jan Lieskovsky 2009-08-12 09:45:56 UTC 
Issue c) Past-the-buffer read in the MIOP dissector:
----------------------------------------------------

An insufficient user-provided input validation flaw was found
in the Wireshark's MIOP dissector. A remote attacker could
provide a specially-crafted MIOP packet capture file, which
once opened by an unsuspecting user, would attempt to read
past the bounds of allocated buffer, leading to application
(Wireshark) abort.

References:
----------
http://www.wireshark.org/security/wnpa-sec-2009-04.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3652

Reproducer:
-----------
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3243

Upstream patch:
---------------
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ziop.c?r1=29095&r2=29094&pathrev=29095&view=patch
Comment 8 Jan Lieskovsky 2009-08-12 09:59:57 UTC 
*** Bug 512996 has been marked as a duplicate of this bug. ***
Comment 9 Jan Lieskovsky 2009-08-12 10:00:16 UTC 
*** Bug 513027 has been marked as a duplicate of this bug. ***
Comment 10 Jan Lieskovsky 2009-08-12 10:19:26 UTC 
Official statement from Red Hat Security Response Team regarding this issue:
----------------------------------------------------------------------------

The Bluetooth L2CAP and MIOP dissector issues did not affect the versions
of the Wireshark package, as shipped with Red Hat Enterprise Linux 3, 4,
or 5. 

The Red Hat Security Response Team has rated the RADIUS dissector
issue as having low security impact, a future Wireshark package
update may address this flaw in Red Hat Enterprise Linux 3, 4, and 5.
More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/
Comment 11 Tomas Hoger 2009-09-30 13:10:08 UTC 
Note: Radius dissector crash affecting 1.0.x versions was not fixed upstream in 1.0.9.
Comment 13 Tomas Hoger 2009-09-30 19:03:01 UTC 
Fix committed now in 1.0 SVN branch too, to be released in 1.0.10:
  http://anonsvn.wireshark.org/viewvc?view=rev&revision=30219
Comment 14 Tomas Hoger 2009-10-28 08:23:50 UTC 
Fixed now in 1.0.10:
  http://www.wireshark.org/security/wnpa-sec-2009-08.html
Comment 15 Fedora Update System 2009-11-04 12:02:13 UTC 
wireshark-1.2.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2009-12-04 23:38:45 UTC 
wireshark-1.2.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 errata-xmlrpc 2010-04-20 15:31:32 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 3

Via RHSA-2010:0360 https://rhn.redhat.com/errata/RHSA-2010-0360.html