Description
Multiple serious vulnerabilities have been found in Wireshark. Malicious users can exploit these vulnerabilities to cause denial of service.
Below is a complete list of vulnerabilities
- Improper data validation and lack of restrictions can be exploited remotely via a specially designed packet or file;
- Improper memory access can be exploited remotely via a specially designed packet or file;
- Improper functions usage can be exploited remotely via a specially designed packet;
- Improper feature maintenance can be exploited remotely via a specially designed packet.
Technical details
Vulnerabilities (1) related to multiple reasons listed below:
dissect_CPMSetBindings function in epan/dissectors/packet-mswsp.c at the MS-WSP dissector does not validate column size.
dissect_tds7_colmetadata_token function in epan/dissectors/packet-tds.c at the TDS dissector does not validate the number of columns.
s7comm_decode_ud_cpu_szl_subfunc function in epan/dissectors/packet-s7comm_szl_ids.c at the S7COMM dissector does not validate the list count in an SZL response.
mp2t_open function in wiretap/mp2t.c at the MP2T file parser does not validate the bit rate.
dissect_nwp function in epan/dissectors/packet-nwp.c at the NWP dissector mishandles the packet type.
ngsniffer_process_record function in wiretap/ngsniffer.c at the Sniffer file parser does not validate the relationships between record lengths and record header lengths.
dissect_zcl_pwr_prof_pwrprofstatersp function in epan/dissectors/packet-zbee-zcl-general.c at the ZigBee ZCL dissector does not validate the Total Profile Number field.
dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c at the RSL dissector does not reject unknown TLV types.
epan/dissectors/packet-nbap.c at the NBAP dissector does not validate the number of items.
ascend_seek function in wiretap/ascendtext.c at the Ascend file parser does not ensure the presence of a ‘�’ character at the end of a date string.
wiretap/vwr.c at the VeriWave file parser does not validate certain signature and Modulation and Coding Scheme (MCS) data.
dissect_diameter_base_framed_ipv6_prefix function in epan/dissectors/packet-diameter.c at the DIAMETER dissector does not validate the IPv6 prefix length.
AirPDcapDecryptWPABroadcastKey function in epan/crypt/airpdcap.c at the 802.11 dissector does not verify the WPA broadcast key length.
AirPDcapPacketProcess function in epan/crypt/airpdcap.c at the 802.11 dissector does not validate the relationship between the total length and the capture length.
epan/dissectors/packet-sctp.c at the SCTP dissector does not validate the frame pointer.
dissect_ber_GeneralizedTime function in epan/dissectors/packet-ber.c at the BER dissector improperly checks an sscanf return value.
dissect_sdp function in epan/dissectors/packet-sdp.c at the SDP dissector does not prevent use of a negative media count.
init_t38_info_conv function in epan/dissectors/packet-t38.c at the T.38 dissector does not ensure that a conversation exists.
epan/dissectors/packet-alljoyn.c at the AllJoyn dissector does not check for empty arguments.
Vulnerabilities (2) related to multiple reasons listed below:
dissect_ppi function in epan/dissectors/packet-ppi.c at the PPI dissector does not initialize a packet-header data structure.
ipmi_fmt_udpport function in epan/dissectors/packet-ipmi.c at the IPMI dissector improperly attempts to access a packet scope.
mp2t_find_next_pcr function in wiretap/mp2t.c at the MP2T file parser does not reserve memory for a trailer.
get_value function in epan/dissectors/packet-btatt.c at the Bluetooth Attribute (aka BT ATT) dissector uses an incorrect integer data type.
Buffer overflow in the tvb_uncompress function in epan/tvbuff_zlib.c can be triggered via packet with zlib compression.
Double free vulnerability in epan/dissectors/packet-nlm.c at the NLM dissector can be triggered when the “Match MSG/RES packets for async NLM” option is enabled.
dissect_dcom_OBJREF function in epan/dissectors/packet-dcom.c at the DCOM dissector does not initialize a certain IPv4 data structure.
epan/dissectors/packet-umts_fp.c at the UMTS FP dissector does not properly reserve memory for channel ID mappings.
Vulnerabilities (3) related to multiple reasons listed below:
The Mobile Identity parser in epan/dissectors/packet-ansi_a.c at the ANSI A dissector and epan/dissectors/packet-gsm_a_common.c at the GSM A dissector improperly uses the tvb_bcd_dig_to_wmem_packet_str function.
dissect_dns_answer function in epan/dissectors/packet-dns.c at the DNS dissector mishandles the EDNS0 Client Subnet option.
Vulnerability (4) related to dissect_rsvp_common function in epan/dissectors/packet-rsvp.c at the RSVP dissector which does not properly maintain request-key data.
Original advisories
Related products
CVE list
- CVE-2015-8727 warning
- CVE-2015-8719 warning
- CVE-2015-8720 warning
- CVE-2015-8717 warning
- CVE-2015-8718 warning
- CVE-2015-8723 warning
- CVE-2015-8724 warning
- CVE-2015-8721 warning
- CVE-2015-8722 warning
- CVE-2015-8715 warning
- CVE-2015-8716 warning
- CVE-2015-8735 warning
- CVE-2015-8736 warning
- CVE-2015-8737 warning
- CVE-2015-8738 warning
- CVE-2015-8739 warning
- CVE-2015-8740 warning
- CVE-2015-8741 warning
- CVE-2015-8742 warning
- CVE-2015-8726 warning
- CVE-2015-8725 warning
- CVE-2015-8730 warning
- CVE-2015-8729 warning
- CVE-2015-8728 warning
- CVE-2015-8713 warning
- CVE-2015-8734 warning
- CVE-2015-8733 warning
- CVE-2015-8732 warning
- CVE-2015-8731 warning
- CVE-2015-8714 warning
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com