Description
Multiple serious vulnerabilities have been found in Wireshark. Malicious users can exploit these vulnerabilities to cause denial of service or gain privileges.
Below is a complete list of vulnerabilities
- Multiple vulnerabilities in LLRP, RSL, LBMC, HiQnet, HTTP/2, X.509AF, DNP3 and ASN.1 BER dissectors can be exploited remotely via a specially designed packet;
- Multiple vulnerabilities in iSeries and 3GPP TS 32.423 Trace file parsers can be exploited remotely via a specially designed file;
- Untrusted path vulnerability can be exploited locally via DLL hijack. (Windows)
Technical details
Vulnerability (1) related to multiple different vulnerabilities listed below:
- dissect_llrp_parameters function in epan/dissectors/packet-llrp.c in the LLRP dissector does not limit recursion depth;
- Off-by-one error in epan/dissectors/packet-rsl.c in the RSL dissector which can be triggered via packet with 0xFF tag value;
- dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector mishandles unrecognized TLV type;
- issect_nhdr_extopt function in epan/dissectors/packet-lbmc.c in the LBMC dissector does not validate length values;
- epan/dissectors/packet-hiqnet.c in the HiQnet dissector does not validate data type;
- epan/dissectors/packet-http2.c in the HTTP/2 dissector does not limit the amount of header data;
- epan/dissectors/packet-x509af.c in the X.509AF dissector mishandles the algorithm ID;
- An unknown vulnerability related to dnp3_al_process_object function in epan/dissectors/packet-dnp.c in the DNP3 dissector;
- dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector.
Vulnerability (2) related to multiple vulnerabilities listed below:
iseries_check_file_type function in wiretap/iseries.c in the iSeries file parser does not consider that a line may lack the “OBJECT PROTOCOL” substring;
wiretap/nettrace_3gpp_32_423.c in the 3GPP TS 32.423 Trace file parser does not ensure that a ‘