Bug 513008 - (CVE-2009-2560) CVE-2009-2560 Wireshark: various flaws in a) RADIUS, b) Bluetooth L2CAP, c) MIOP dissectors (DoS)
CVE-2009-2560 Wireshark: various flaws in a) RADIUS, b) Bluetooth L2CAP, c) M...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
https://bugs.wireshark.org/bugzilla/s...
impact=low,public=20090720,reported=2...
: Security
: 512996 513027 (view as bug list)
Depends On: 549581 549582 549583 549584 561099 833992
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-21 12:29 EDT by Jan Lieskovsky
Modified: 2012-06-20 10:42 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-20 11:55:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-07-21 12:29:51 EDT
Issue a) NULL pointer dereference in the RADIUS dissector:
----------------------------------------------------------

A NULL pointer dereference flaw was found in the Wireshark's RADIUS
dissector. A remote attacker could provide a specially-crafted RADIUS
packet capture file, which once opened by an unsuspecting user would
lead to denial of service (Wireshark crash).

References:
-----------
http://www.wireshark.org/security/wnpa-sec-2009-04.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3578

Reproducer:
-----------
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3183

Upstream patch:
---------------
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-radius.c?r1=28891&r2=28890&pathrev=28891&view=patch
Comment 2 Jan Lieskovsky 2009-07-21 12:32:08 EDT
Information about affected Wireshark versions:
----------------------------------------------

  Issue a) NULL pointer dereference in the RADIUS dissector:
  ----------------------------------------------------------

  This issue affects the versions of the wireshark package, as shipped
  with Red Hat Enterprise Linux 3, 4, and 5.

  This issue affects the versions of the Wireshark package, as shipped
  with Fedora releases of 10, 11, and Rawhide.

  Issue b) Integer overflow in the Bluetooth L2CAP dissector:
  -----------------------------------------------------------

  This issue does NOT affect the versions of the wireshark package, as shipped
  with Red Hat Enterprise Linux 3, 4, and 5.

  This issue does NOT affect the version of the wireshark package, as shipped
  with Fedora release of 10.

  This issue affects the versions of the wireshark package, as shipped
  with Fedora releases of 11, and Rawhide.  

  Issue c) Past-the-buffer read in the MIOP dissector:
  ----------------------------------------------------

  This issue does NOT affect the versions of the wireshark package, 
  as shipped with Red Hat Enterprise Linux 3, 4, and 5.

  This issue does NOT affect the version of the wireshark package,
  as shipped with Fedora release of 10.

  This issue affects the versions of the wireshark package, 
  as shipped with Fedora releases of 11 and Rawhide.
Comment 4 Jan Lieskovsky 2009-07-21 15:55:21 EDT
MITRE's CVE-2009-2560 entry:
---------------------------

Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote
attackers to cause a denial of service (crash) via unspecified vectors
in the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissectors.  NOTE:
the RADIUS dissector vulnerability also affects 1.0.8.

References:
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2560
http://www.wireshark.org/security/wnpa-sec-2009-04.html
http://www.securityfocus.com/bid/35748
http://secunia.com/advisories/35884
http://www.vupen.com/english/advisories/2009/1970
Comment 6 Jan Lieskovsky 2009-08-12 05:42:14 EDT
Issue b) Integer overflow in the Bluetooth L2CAP dissector:
-----------------------------------------------------------

An integer overflow flaw, leading to heap-based buffer overflow was found
in the Wireshark's Bluetooth L2CAP dissector. A remote attacker could
provide a specially-crafted L2CAP packet capture file, which once opened
by an unsuspecting user would lead to denial of service (Wireshark crash).

References:
----------
http://www.wireshark.org/security/wnpa-sec-2009-04.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3572

Reproducer:
----------
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3179

Upstream patch:
---------------
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-btl2cap.c?r1=28884&r2=28883&pathrev=28884&view=patch
Comment 7 Jan Lieskovsky 2009-08-12 05:45:56 EDT
Issue c) Past-the-buffer read in the MIOP dissector:
----------------------------------------------------

An insufficient user-provided input validation flaw was found
in the Wireshark's MIOP dissector. A remote attacker could
provide a specially-crafted MIOP packet capture file, which
once opened by an unsuspecting user, would attempt to read
past the bounds of allocated buffer, leading to application
(Wireshark) abort.

References:
----------
http://www.wireshark.org/security/wnpa-sec-2009-04.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3652

Reproducer:
-----------
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3243

Upstream patch:
---------------
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ziop.c?r1=29095&r2=29094&pathrev=29095&view=patch
Comment 8 Jan Lieskovsky 2009-08-12 05:59:57 EDT
*** Bug 512996 has been marked as a duplicate of this bug. ***
Comment 9 Jan Lieskovsky 2009-08-12 06:00:16 EDT
*** Bug 513027 has been marked as a duplicate of this bug. ***
Comment 10 Jan Lieskovsky 2009-08-12 06:19:26 EDT
Official statement from Red Hat Security Response Team regarding this issue:
----------------------------------------------------------------------------

The Bluetooth L2CAP and MIOP dissector issues did not affect the versions
of the Wireshark package, as shipped with Red Hat Enterprise Linux 3, 4,
or 5. 

The Red Hat Security Response Team has rated the RADIUS dissector
issue as having low security impact, a future Wireshark package
update may address this flaw in Red Hat Enterprise Linux 3, 4, and 5.
More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/
Comment 11 Tomas Hoger 2009-09-30 09:10:08 EDT
Note: Radius dissector crash affecting 1.0.x versions was not fixed upstream in 1.0.9.
Comment 13 Tomas Hoger 2009-09-30 15:03:01 EDT
Fix committed now in 1.0 SVN branch too, to be released in 1.0.10:
  http://anonsvn.wireshark.org/viewvc?view=rev&revision=30219
Comment 14 Tomas Hoger 2009-10-28 04:23:50 EDT
Fixed now in 1.0.10:
  http://www.wireshark.org/security/wnpa-sec-2009-08.html
Comment 15 Fedora Update System 2009-11-04 07:02:13 EST
wireshark-1.2.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2009-12-04 18:38:45 EST
wireshark-1.2.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 errata-xmlrpc 2010-04-20 11:31:32 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 3

Via RHSA-2010:0360 https://rhn.redhat.com/errata/RHSA-2010-0360.html

Note You need to log in before you can comment on or make changes to this bug.