Overview
Wireshark contains an unsigned integer wrap vulnerability that may occur when parsing Endace Extensible Record Format (ERF) files.
Description
Wireshark is a protocol analyzer that can open or import previously saved files. When processing an Endace ERF file an unsigned integer wrap vulnerability may cause Wireshark to allocate a very large buffer. To exploit this issue, an attacker would have to convince a user to open a crafted ERF file using Wireshark. This issue also affects Tshark, the console version of Wireshark. |
Impact
A remote attacker can cause Wireshark to crash. It may be possible, although unlikely, for an attacker to execute arbitrary code. Exploiting the vulnerability could result in a NULL pointer dereference, which can lead to code execution on certain platforms. |
Solution
Update |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) |
| Environmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) |
References
- http://www.wireshark.org/docs/relnotes/wireshark-1.2.2.html
- http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?view=markup&pathrev=29364
- https://www.securecoding.cert.org/confluence/display/cplusplus/INT30-CPP.+Ensure+that+unsigned+integer+operations+do+not+wrap
- http://wiki.wireshark.org/Security#head-ac69042aeeb98cdaed2ec2ff1bd2c983fa03cffd
- http://xorl.wordpress.com/2009/11/10/cve-2009-3829-wireshark-endace-erf-protocol-integer-underflow/
- http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf
Acknowledgements
This issue was discovered by Ryan Giobbi.
This document was written by Ryan Giobbi and Art Manion.
Other Information
| CVE IDs: | None |
| Severity Metric: | 1.28 |
| Date Public: | 2009-09-15 |
| Date First Published: | 2009-10-05 |
| Date Last Updated: | 2009-11-25 00:09 UTC |
| Document Revision: | 27 |