__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Wireshark Security Update [Red Hat RHSA-2007:0710-2] November 7, 2007 22:00 GMT Number S-041 [REVISED 16 Nov 2007] [REVISED 23 Jan 2008] ______________________________________________________________________________ PROBLEM: Several denial of service bugs were found in Wireshark's HTTP, iSeries, DCP ETSI, SSL, MMS, DHCP and BOOTP protocol dissectors. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 4) DAMAGE: It is possible for Wireshark to crash or stop responding if it read a malformed packet off the network. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. It is possible for Wireshark to crash or stop ASSESSMENT: responding if it read a malformed packet off the network. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-041.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0710.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2007-0709.html http://www.securityfocus.com/bid/24662 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-3389 CVE-2007-3390 CVE-2007-3391 CVE-2007-3392 CVE-2007-3393 ______________________________________________________________________________ REVISION HISTORY: 11/16/2007 - revised S-041 to add a link to Red Hat RHSA-2007:0709-2 for Red Hat Desktop (v. 4), Red Hat Enterprise Linux AS, ES, WS (v. 4). 01/23/2008 - revised S-041 to add a link to Security Focus 24662. [***** Start Red Hat RHSA-2007:0710-2 *****] Low: wireshark security update Advisory: RHSA-2007:0710-2 Type: Security Advisory Severity: Low Issued on: 2007-11-07 Last updated on: 2007-11-07 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070710.xml CVEs (cve.mitre.org): CVE-2007-3389 CVE-2007-3390 CVE-2007-3391 CVE-2007-3392 CVE-2007-3393 Details New Wireshark packages that fix various security vulnerabilities are now available for Red Hat Enterprise Linux 5. Wireshark was previously known as Ethereal. This update has been rated as having low security impact by the Red Hat Security Response Team. Wireshark is a program for monitoring network traffic. Several denial of service bugs were found in Wireshark's HTTP, iSeries, DCP ETSI, SSL, MMS, DHCP and BOOTP protocol dissectors. It was possible for Wireshark to crash or stop responding if it read a malformed packet off the network. (CVE-2007-3389, CVE-2007-3390, CVE-2007-3391, CVE-2007-3392, CVE-2007-3393) Users of Wireshark and Ethereal should upgrade to these updated packages, containing Wireshark version 0.99.6, which is not vulnerable to these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: wireshark-gnome-0.99.6-1.el5.i386.rpm b9b63d2c30c0100d5f573ebc81bd4023 x86_64: wireshark-gnome-0.99.6-1.el5.x86_64.rpm 8fc46b79d4d74c5434b5a673c38d80d0 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: wireshark-0.99.6-1.el5.src.rpm f49fa8d0277d49cd8eaca3cab3d72990 IA-32: wireshark-0.99.6-1.el5.i386.rpm 47debd82ab5bc864a3cdd9dd64484282 wireshark-gnome-0.99.6-1.el5.i386.rpm b9b63d2c30c0100d5f573ebc81bd4023 IA-64: wireshark-0.99.6-1.el5.ia64.rpm 9803781c960202e93b07c15edfac733c wireshark-gnome-0.99.6-1.el5.ia64.rpm 3711e4d1653c0aac43ee7b08f5149304 PPC: wireshark-0.99.6-1.el5.ppc.rpm 598a710138caa4c174306ba4930201d4 wireshark-gnome-0.99.6-1.el5.ppc.rpm 7560565717c181cf210eab9438ae5f29 s390x: wireshark-0.99.6-1.el5.s390x.rpm 25ac5e44a7a5dcd87c77292999b2501c wireshark-gnome-0.99.6-1.el5.s390x.rpm 2238fbab472c7f05b7b3ac801f8652dc x86_64: wireshark-0.99.6-1.el5.x86_64.rpm a28ed04bd22158d7cf68bc71589b82c4 wireshark-gnome-0.99.6-1.el5.x86_64.rpm 8fc46b79d4d74c5434b5a673c38d80d0 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: wireshark-0.99.6-1.el5.src.rpm f49fa8d0277d49cd8eaca3cab3d72990 IA-32: wireshark-0.99.6-1.el5.i386.rpm 47debd82ab5bc864a3cdd9dd64484282 x86_64: wireshark-0.99.6-1.el5.x86_64.rpm a28ed04bd22158d7cf68bc71589b82c4 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 245796 - CVE-2007-3389 Wireshark crashes when inspecting HTTP traffic 245797 - CVE-2007-3391 Wireshark loops infinitely when inspecting DCP ETSI traffic 245798 - CVE-2007-3392 Wireshark loops infinitely when inspecting SSL traffic 246221 - CVE-2007-3393 Wireshark corrupts the stack when inspecting BOOTP traffic 246225 - CVE-2007-3390 Wireshark crashes when inspecting iSeries traffic 246229 - CVE-2007-3392 Wireshark crashes when inspecting MMS traffic References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3393 http://www.wireshark.org/docs/relnotes/wireshark-0.99.6.html http://www.redhat.com/security/updates/classification/#low Keywords BOOTP, crash, DCP, DHCP, DoS, ETSI, HTTP, iSeries, loop, MMS, SSL -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0710-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-031: RSA Keon Vulnerability S-032: CUPS Security Update and Bug Fix Update S-033: AIX lqueryvg Buffer Overflow Vulnerability S-034: SonicWall NetExtender NELaunchCtrl ActiveX Vulnerability S-035: Perdition Format String Error S-036: Mono Vulnerability S-037: Perl-Compatible Regular Expression (PCRE) Vulnerabilities S-038: Perl Security Update S-039: httpd Security Update S-040: Vulnerability in Macrovision SECDRV.SYS Driver on Windows