search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Ethereal contains integer overflow in PPP dissector

Vulnerability Note VU#361700

Original Release Date: 2003-05-12 | Last Revised: 2003-05-12

Overview

Ethereal is a network traffic analysis package. The PPP packet dissector contains a vulnerability that may result in the execution of arbitrary code.

Description

The PPP packet dissector for Ethereal contains an integer overflow vulnerability. According to the Ethereal Advisory, tvb_get_nstringz() and tvb_get_nstringz0() were used in an unsafe manner.

Versions 0.9.11 and earlier of Ethereal are affected.

Impact

It may be possible for a remote attacker to crash the program or run arbitrary code on the system via a crafted packet.

Solution

Upgrade to version 0.9.12 which resolves this issue.

Vendor Information

361700
 
Expand all

Ethereal Affected

Updated:  May 12, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.ethereal.com/appnotes/enpa-sa-00009.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.ethereal.com/appnotes/enpa-sa-00009.html

Acknowledgements

Thanks to Timo Sirainen for reporting this vulnerability.

This document was written by Jason A Rafail and is based upon information in the Ethereal Advisory.

Other Information

CVE IDs: None
Severity Metric: 6.95
Date Public: 2003-05-01
Date First Published: 2003-05-12
Date Last Updated: 2003-05-12 18:37 UTC
Document Revision: 5

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis