__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Ethereal Multiple Problems in 0.10.4 [Ethereal Application Note enpa-sa-00015] July 8, 2004 16:00 GMT Number O-174 [REVISED 19 Jul 2004] [REVISED 5 Aug 2004] [REVISED 18 Aug 2004] [REVISED 25 Oct 2004] ______________________________________________________________________________ PROBLEM: There are 3 issues that were discovered in the following protocol dissectors: 1) The iSNS dissector could make Ethereal abort in some cases (0.10.3-0.10.4); 2) SMB SID snooping could crash if there was no policy name for a handle (0.9.15-0.10.4); 3) The SNMP dissector could crash due to a malformed or missing community string (0.8.15-0.10.4) PLATFORM: Ethereal 0.8.15 up to and including 0.10.4 Debian GNU/Linux 3.0 (woody) Red Hat Enterprise Linux AS, ES, and WS (v.3) Red Hat Enterprise Linux AS, ES, and WS (v.2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 1 Patch 10110 DAMAGE: It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file. SOLUTION: Ethereal: Upgrade to 0.10.5. Debian: Apply appropriate patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Ethereal is a widely used packet sniffer and ASSESSMENT: must be run as root. It may be possible to run arbitrary code or cause a crash. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-174.shtml ORIGINAL BULLETIN: Ethereal Application Note enpa-sa-00015 http://ethereal.com/appnotes/enpa-sa-00015.html ADDITIONAL LINKS: - Security Tracker Alert ID: 1010655 http://securitytracker.com/alerts/2004/Jul/1010655.html - Debian Security Advisory #528 http://www.debian.org/security/2004/dsa-528 - Red Hat: RHSA-2004:378-08 https://rhn.redhat.com/errata/RHSA-2004-378.html - SGI Security Advisory 20040803-01-U Update #24 http://www.sgi.com/support/security/advisories.html SGI Security Advisory 20041002-01-U Update #14 http://www.sgi.com/support/security/advisories.html CVE/CAN: http://cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0633 CAN-2004-0634 CAN-2004-0635 ______________________________________________________________________________ REVISION HISTORY: 7/19/04 - added link to Debian Security Advisory #528 for their patches. 8/05/04 - added link to Red Hat Security Advisory RHSA-2004:378-08. 8/18/04 - added a link to SGI Security Advisory 20040803-01-U Update #24 for SGI ProPack v2.4. 10/25/04 - added a link to SGI Security Advisory 20041002-01-U Update #14 for SGI ProPack 3. [***** Start Ethereal Application Note enpa-sa-00015 *****] Summary Name: Multiple problems in Ethereal 0.10.4 Docid: enpa-sa-00015 Date: July 6, 2004 Versions affected: 0.8.15 up to and including 0.10.4 Severity: High Details Description: Issues have been discovered in the following protocol dissectors: * The iSNS dissector could make Ethereal abort in some cases. (0.10.3 - 0.10.4) CAN-2004-0633 * SMB SID snooping could crash if there was no policy name for a handle. (0.9.15 - 0.10.4) CAN-2004-0634 * The SNMP dissector could crash due to a malformed or missing community string. (0.8.15 - 0.10.4) CAN-2004-0635 Impact: It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Resolution: Upgrade to 0.10.5. If you are running a version prior to 0.10.5 and you cannot upgrade, you can disable all of the protocol dissectors listed above by selecting Analyze-> Enabled Protocols... and deselecting them from the list. For SMB, you can alternatively disable SID snooping in the SMB protocol preferences. However, it is strongly recommended that you upgrade to 0.10.5. [***** End Ethereal Application Note enpa-sa-00015 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Ethereal for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-164: Red Hat Updated Kernel Packages Fix Security Vulnerabilities O-165: Red Hat Updated libpng Packages Fix Security Issue O-166: Sun StorEdge Enterprise Storage Manager (ESM) 2.1 Vulnerability O-167: SGI - System Call SGI_IOPROBE Vulnerability O-168: Squid - NTLM Authentication Buffer Overflow Vulnerability O-169: Apache Buffer Overflow Vulnerability O-170: HP-UX Netscape Vulnerabilities O-171: Hewlett Packard OpenSSL Potential Vulnerabilities O-172: Sun Solaris 9 Patches O-173: Debian Webmin Vulnerabilities