Bug 80581 (CVE-2005-1470)

Summary: VUL-0: CVE-2005-1470: Ethereal once again
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: aj, gp, jmayer, postadal, rf, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1470: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ethereal_sip.c

Description Sebastian Krahmer 2005-04-27 09:19:08 UTC 
Be warned. This is a huge list of issues. Looks like
a version upgrade is needed?



Date: Tue, 26 Apr 2005 14:45:18 -0500
From: Gerald Combs <gerald@ethereal.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] Upcoming Ethereal release (0.10.11) fixes a large
    number of vulnerabilities

An aggressive testing program along with independent reports have
revealed a large number of bugs in Ethereal.  These will be fixed in the
next release, tentatively scheduled for May 2nd or 3rd.  Bugs discovered
so far are listed below, and there are several more in the pipeline.
I'll send an update in a few days as more bugs are fixed.

  The ANSI A dissector was susceptible to format string vulnerabilities.
  Discovered by Bryan Fulton.
  Versions affected: 0.9.15 to 0.10.10
  Fixed in revisions: 13793, 13794

  The GSM MAP dissector could crash.
  Versions affected: 0.10.0 to 0.10.10
  Fixed in revisions: 13984, 13985, 13986

  The AIM dissector could cause a crash.
  Versions affected: 0.9.14 to 0.10.10
  Fixed in revisions: 13955

  The DISTCC dissector was susceptible to a buffer overflow.
  Discovered by Ilja van Sprundel
  Versions affected: 0.9.13 to 0.10.10
  Fixed in revisions: 14016

  The FCELS dissector was susceptible to a buffer overflow.
  Discovered by Neil Kettle
  Versions affected: 0.9.9 to 0.10.10
  Fixed in revisions: 14027

  The SIP dissector was susceptible to a buffer overflow.
  Discovered by Ejovi Nuwere.
  Versions affected: 0.10.0 to 0.10.10
  Fixed ini revisions: 14155

  The KINK dissector was susceptible to a null pointer exception,
  endless looping, and other problems.
  Versions affected: 0.10.10
  Fixed in revisions: 13797, 13803, 13853, 13896

  The LMP dissector was susceptible to an endless loop.
  Versions affected: 0.9.4 to 0.10.10
  Fixed in revisions: 13878, 13879

  The Telnet dissector could abort.
  Versions affected: 0.9.10 to 0.10.10
  Fixed in revisions: 13739, 13740

  The TZSP dissector could cause a segmentation fault.
  Versions affected: 0.10.10 to 0.10.10
  Fixed in revsions: 13790

  The WSP dissector was susceptible to a null pointer exception and
  assertions.
  Versions affected: 0.10.0 to 0.10.10
  Fixed in revisions: 13868, 13869, 13876, 14018, 14029, 14110, 14111

  The 802.3 Slow protocols dissector could throw an assertion.
  Versions affected: 0.10.10
  Fixed in revisions: 13950

  The BER dissector could throw assertions.
  Versions affected: 0.10.2 to 0.10.10
  Fixed in revisions: 14064, 14065, 14078, 14079, 14080, 14092, 14145

  The SMB Mailslot dissector was susceptible to a null pointer exception
  and could throw assertions.
  Versions affected: 0.9.0 to 0.10.10
  Fixed in revisions: 14066, 14067, 14129

  The H.245 dissector was susceptible to a null pointer exception.
  Versions affected: 0.10.10
  Fixed in revisions: 14072

  The Bittorrent dissector could cause a segmentation fault.
  Versions affected: 0.10.8 to 0.10.10
  Fixed in revisions: 14136

  The SMB dissector could cause a segmentation fault and throw
  assertions.
  Versions affected: 0.9.0 to 0.10.10
  Fixed in revisions: 13968, 14077, 14107, 14149

  The Fibre Channel dissector could cause a crash.
  Versions affected: 0.9.9 to 0.10.10
  Fixed in revisions: 14115, 14154

  The DICOM dissector could attempt to allocate large amounts of memory.
  Versions affected: 0.10.4 to 0.10.10
  Fixed in revisions: 14117

  The MGCP dissector was susceptible to a null pointer exception, could
  loop indefinitely, and segfault.
  Versions affected: 0.8.14 to 0.10.10
  Fixed in revisions: 14119, 14121, 14181

  The RSVP dissector could loop indefinitely.
  Versions affected: 0.9.8 to 0.10.10
  Fixed in revisions: 14128, 14153, 14165, 14168

  The DHCP dissector was susceptible to format string vulnerabilities,
  and could abort.
  Versions affected: 0.10.7 to 0.10.10
  Fixed in revisions: 14019, 14141

  The SRVLOC dissector could crash unexpectedly or go into an infinite
  loop.
  Versions affected: 0.9.8 to 0.10.10
  Fixed in revisions: 14150, 14182

  The EIGRP dissector could loop indefinitely.
  Versions affected: 0.8.18 to 0.10.10
  Fixed in revisions: 14151

  The ISIS dissector could overflow a buffer.
  Versions affected: 0.8.18 to 0.10.10
  Fixed in revisions: 14161

  The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified,
  and X.509 dissectors could overflow buffers.
  Versions affected: 0.10.4 to 0.10.10
  Fixed in revisions: 14169

  The NDPS dissector could exhaust system memory or cause an assertion.
  Versions affected: 0.9.12 to 0.10.10
  Fixed in revisions: 14172, 14183

  The Q.931 dissector could try to free a null pointer and overflow
  a buffer.
  Versions affected: 0.10.10
  Fixed in revisions: 14173  The IAX2 dissector could throw an assertion.
  Versions affected: 0.10.1 to 0.10.10
  Fixed in revisions: 14175

  The ICEP dissector could try to free the same memory twice.
  Versions affected: 0.10.7 to 0.10.10
  Fixed in revisions: 14176

  The MEGACO dissector was susceptible to an infinite loop.
  Versions affected:
  Fixed in revisions:

  The DLSw dissector was susceptible to an infinite loop.
  Versions affected: 0.9.1 to 0.10.10
  Fixed in revisions: 14178

  The RPC dissector was susceptible to a null pointer exception and
  Versions affected: 0.9.2 to 0.10.10
  Fixed in revisions: 14186


  The following dissectors could throw an assertion when passing an
  invalid protocol tree item length.
  Versions affected: 0.10.8 to 0.10.10

  PPP:    13897, 13898, 13900, 13901, 13906, 13908, 13921, 13927
  FCP:    13899, 13917
  ISAKMP: 13974
  Vines:  13925
  MIPv6:  13963
  PER:    13970
  T.38:   14014
  SSL:    14120
  NCP:    14159
  MMSE:   14163
  DCERPC: 14171
  ISMP:   14171
  EPM:    14174
Ethereal's SVN repository can be browsed online at

    http://anonsvn.ethereal.com/viewcvs/viewcvs.py/

Information on obtaining the source code can be found at

    http://www.ethereal.com/development.html#source

Please don't hesitate to contact me if you have any questions.
Comment 1 Petr Ostadal 2005-04-27 09:42:55 UTC 
;) super, The version update will help me, the backportig different version
consumed a lot of time ;(. Can I make it?
Comment 2 Marcus Meissner 2005-04-27 13:07:52 UTC 
i queried AJ and RF ... AJ has goiven his approval for 
the box products already, waiting for Ralf.
Comment 3 Petr Ostadal 2005-05-05 08:35:15 UTC 
Today realeased new version of ethereal
(http://www.ethereal.com/appnotes/enpa-sa-00019.html ).

I pam reparing update for SL BOXes and I am still waiting for Ralf decision
(update for SLES9-SP2 is urgent).
Comment 4 Petr Ostadal 2005-05-05 14:57:46 UTC 
I read now, that Gerald Pfeifer is responsible for SLES8 and SLES9.
Gerald, could you decide version update for SLES?
Comment 5 Gerald Pfeifer 2005-05-06 14:07:35 UTC 
Petr, if you do not hear otherwise by Monday, 16:00, the version update for
SLES9 is okay.

If you urgently need a decision before then, the version update is also okay.

(I'll try to check with Ralf.)
Comment 6 Gerald Pfeifer 2005-05-09 14:09:51 UTC 
Petr, the update is okay but please make sure that this does not change
any existing command-line options or file formats (if applicable, I don't
know whether Etherreal has any specific files).
Comment 7 Petr Ostadal 2005-05-10 15:44:56 UTC 
I have updated ethereal in sles8,9.0,9.1,sles9, sles9-sp2 (=sles9-beta),9.2,9.3
and stable. 

Markus make swamp id and patchinfo for it.
Comment 8 Marcus Meissner 2005-05-11 08:41:19 UTC 
swampid: 1143
Comment 9 Marcus Meissner 2005-05-11 10:01:10 UTC 
Yes, see below.                                                                  
                                                                                 
---------- Forwarded message ----------                                          
Date: Thu, 5 May 2005 19:31:22 -0400 (EDT)                                       
From: Steven M. Christey <coley@linus.mitre.org>                                 
To: Mark J Cox <mjc@redhat.com>                                                  
Cc: Steven M. Christey <coley@linus.mitre.org>, bressers@redhat.com              
Subject: Re: 20+ CVE names needed                                                
                                                                                 
.....                                                                            
                                                                                 
OK, I took a look at this advisory, and also at that massive Oracle              
advisory.  I'm currently of the mindset that in large-scale reports like         
this (where let's say there are 20 or more issues), I'd SPLIT by bug type        
and the *maximum* affected version, but ignore the starting versions.            
                                                                                 
This is a change from previous approaches, ESPECIALLY since we have all          
the relevant details right here, but I want to keep this exception to            
large-scale discoveries only.                                                    
                                                                                 
This leaves 15 CANs for Ethereal and about 27 for that massive Oracle            
advisory.  Still large, but not ludicrous large.                                 
                                                                                 
See the Ethereal CANs below.                                                     
                                                                                 
- Steve                                                                          
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1456                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1456                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown vulnerabilities in the (1) DHCP and (2) Telnet                  
dissectors in Ethereal before 0.10.11 allow remote attackers to cause            
a denial of service (abort).                                                     
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1457                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1457              
   Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown vulnerabilities in the (1) AIM, (2) LDAP, (3)                   
FibreChannel, (4) GSM_MAP, (5) SRVLOC, and (6) NTLMSSP dissectors in             
Ethereal before 0.10.11 allow remote attackers to cause a denial of              
service (crash).                                                                 
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1458                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1458                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown "other problems" in the KINK dissector in Ethereal              
before 0.10.11 have unknown impact and attack vectors.                           
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1459                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1459                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown vulnerabilities in the (1) WSP, (2) BER, (3) SMB, (4)           
NDPS, (5) IAX2, (6) RADIUS, (7) TCAP, (8) MRDISC, (9) 802.3 Slow, (10)           
SMBMailslot, or (11) SMB PIPE dissectors in Ethereal before 0.10.11              
allow remote attackers to cause a denial of service (assert error).              
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1460                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1460                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown dissectors in Ethereal before 0.10.11 allow remote              
attackers to cause a denial of service (assert error) via an invalid             
protocol tree item length.                                                       
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1461                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1461                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS,            
(5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11)              
FCELS, (12) Q.931, (13) NCP, (14) TCAP, (15) ISUP, (16) MEGACO, (17)             
PKIX1Explitit, (18) PKIX_Qualified, (19) Presentation dissectors in              
Ethereal before 0.10.11 allow remote attackers to cause a denial of              
service (crash) and possibly execute arbitrary code.                             
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1462                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1462                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Double-free vulnerability in the ICEP dissector in Ethereal before               
0.10.11 may allow remote attackers to execute arbitrary code.                    
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1463                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1463                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple format string vulnerabilities in the (1) DHCP and (2) ANSI A            
dissectors in Ethereal before 0.10.11 may allow remote attackers to              
execute arbitrary code.                                                          
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1464                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1464                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP,            
(4) EIGRP, (5) DLSw, (6) MEGACO, (7) LMP, and (8) RSVP dissectors in             
Ethereal before 0.10.11 allow remote attackers to cause a denial of              
service (infinite loop).                                                         
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1465                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1465                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Unknown vulnerability in the NCP dissector in Ethereal before 0.10.11            
allow remote attackers to cause a denial of service (long loop).                 
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1466                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1466                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Unknown vulnerability in the DICOM dissector in Ethereal before                  
0.10.11 allows remote attackers to cause a denial of service (large              
memory allocation) via unknown vectors.                                          
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1467                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1467                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Unknown vulnerability in the NDPS dissector in Ethereal before 0.10.11           
allows remote attackers to cause a denial of service (memory      
               exhaustion) via unknown vectors.                                                 
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1468                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1468                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown vulnerabilities in the (1) WSP, (2) Q.931, (3) H.245,           
(4) KINK, (5) MGCP, (6) RPC, (7) SMBMailslot, and (8) SMB NETLOGON               
Ethereal before 0.10.11 allow remote attackers to cause a denial of              
service (crash) via unknown vectors that lead to a null dereference.             
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1469                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1469                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Unknown vulnerability in the GSM dissector in Ethereal before 0.10.11            
allows remote attackers to cause the dissector to access an invalid              
pointer.                                                                         
                                                                                 
                                                                                 
======================================================                           
Candidate: CAN-2005-1470                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1470                 
Reference: CONFIRM:http://www.ethereal.com/appnotes/enpa-sa-00019.html           
Reference: CONFIRM:http://www.ethereal.com/news/item_20050504_01.html            
                                                                                 
Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3) ISUP,            
(4) SMB, or (5) Bittorrent dissectors in Ethereal before 0.10.11 allow           
remote attackers to cause a denial of service (segmentation fault) via           
unknown vectors.
Comment 10 Marcus Meissner 2005-05-12 08:11:08 UTC 
Created attachment 36934 [details]
ethereal_sip.c

sample crash demo, run with:

./ethereal_sip <hpostname>
Comment 11 Marcus Meissner 2005-05-13 07:56:00 UTC 
*** Bug 83751 has been marked as a duplicate of this bug. ***
Comment 12 Michael Schröder 2005-05-18 12:48:48 UTC 
Why is there no submission for 8.2?
Comment 13 Petr Ostadal 2005-05-18 15:13:07 UTC 
my fault, no it is ok
Comment 14 Thomas Biege 2005-05-31 13:21:41 UTC 
packages approved
Comment 15 Thomas Biege 2009-10-13 21:19:31 UTC 
CVE-2005-1470: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)