Vulnerabilities > CVE-2012-5240 - Buffer Errors vulnerability in Wireshark 1.8.0/1.8.1/1.8.2
Attack vector
ADJACENT_NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the dissect_tlv function in epan/dissectors/packet-ldp.c in the LDP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malformed packet.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Windows NASL id WIRESHARK_1_8_3.NASL description The installed version of Wireshark 1.8 is earlier than 1.8.3. It thus is affected by the following vulnerabilities : - A malformed packet can cause the last seen 2020-06-01 modified 2020-06-02 plugin id 62478 published 2012-10-10 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62478 title Wireshark 1.8.x < 1.8.3 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(62478); script_version("1.7"); script_cvs_date("Date: 2019/12/04"); script_cve_id( "CVE-2012-3548", "CVE-2012-5237", "CVE-2012-5238", "CVE-2012-5240" ); script_bugtraq_id(55284, 55754); script_name(english:"Wireshark 1.8.x < 1.8.3 Multiple Vulnerabilities"); script_summary(english:"Does a version check"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains an application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Wireshark 1.8 is earlier than 1.8.3. It thus is affected by the following vulnerabilities : - A malformed packet can cause the 'DRDA' and 'HSRP' dissectors to enter an infinite loop, thereby consuming excessive CPU resources. (CVE-2012-3548, CVE-2012-5237) - A malformed packet can cause the 'PPP' dissector to crash the application. (CVE-2012-5238) - A malformed packet can trigger a buffer overflow in the 'LDP' dissector, which results in an application crash. (CVE-2012-5240)"); script_set_attribute(attribute:"see_also", value:"http://www.wireshark.org/security/wnpa-sec-2012-26.html"); script_set_attribute(attribute:"see_also", value:"http://www.wireshark.org/security/wnpa-sec-2012-27.html"); script_set_attribute(attribute:"see_also", value:"http://www.wireshark.org/security/wnpa-sec-2012-28.html"); script_set_attribute(attribute:"see_also", value:"http://www.wireshark.org/security/wnpa-sec-2012-29.html"); script_set_attribute(attribute:"see_also", value:"http://www.wireshark.org/docs/relnotes/wireshark-1.8.3.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Wireshark version 1.8.3 or later."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-5240"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/01"); script_set_attribute(attribute:"patch_publication_date", value:"2012/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/10/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wireshark:wireshark"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("wireshark_installed.nasl"); script_require_keys("SMB/Wireshark/Installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Check each install. installs = get_kb_list_or_exit("SMB/Wireshark/*"); info = ''; info2 = ''; foreach install(keys(installs)) { if ("/Installed" >< install) continue; version = install - "SMB/Wireshark/"; if (version =~ "^1\.8\.[0-2]($|[^0-9])") info += '\n Path : ' + installs[install] + '\n Installed version : ' + version + '\n Fixed version : 1.8.3\n'; else info2 += 'Version ' + version + ', under ' + installs[install] + ' '; } # Remove trailing space on info2 if (strlen(info2) > 1) info2 = substr(info2, 0, strlen(info2) -2); # Report if any were found to be vulnerable if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 4) s = "s of Wireshark are"; else s = " of Wireshark is"; report = '\n' + 'The following vulnerable instance' + s + ' installed :\n' + '\n' + info; security_warning(port:get_kb_item("SMB/transport"), extra:report); } else security_warning(get_kb_item("SMB/transport")); exit(0); } if (info2) exit(0, "The following installed instance(s) of Wireshark are not affected : " + info2 + ".");NASL family Solaris Local Security Checks NASL id SOLARIS11_WIRESHARK_20130129.NASL description The remote Solaris system is missing necessary patches to address security updates : - The dissect_drda function in epan/dissectors/packet-drda.c in Wireshark 1.6.x through 1.6.10 and 1.8.x through 1.8.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a small value for a certain length field in a capture file. (CVE-2012-3548) - The dissect_hsrp function in epan/dissectors/packet-hsrp.c in the HSRP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. (CVE-2012-5237) - epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x before 1.8.3 uses incorrect OUI data structures during the decoding of (1) PPP and (2) LCP data, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a malformed packet. (CVE-2012-5238) - Buffer overflow in the dissect_tlv function in epan/dissectors/packet-ldp.c in the LDP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malformed packet. (CVE-2012-5240) last seen 2020-06-01 modified 2020-06-02 plugin id 80805 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80805 title Oracle Solaris Third-Party Patch Update : wireshark (multiple_vulnerabilities_in_wireshark4) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Oracle Third Party software advisories. # include("compat.inc"); if (description) { script_id(80805); script_version("1.2"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2012-3548", "CVE-2012-5237", "CVE-2012-5238", "CVE-2012-5239", "CVE-2012-5240"); script_name(english:"Oracle Solaris Third-Party Patch Update : wireshark (multiple_vulnerabilities_in_wireshark4)"); script_summary(english:"Check for the 'entire' version."); script_set_attribute( attribute:"synopsis", value: "The remote Solaris system is missing a security patch for third-party software." ); script_set_attribute( attribute:"description", value: "The remote Solaris system is missing necessary patches to address security updates : - The dissect_drda function in epan/dissectors/packet-drda.c in Wireshark 1.6.x through 1.6.10 and 1.8.x through 1.8.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a small value for a certain length field in a capture file. (CVE-2012-3548) - The dissect_hsrp function in epan/dissectors/packet-hsrp.c in the HSRP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. (CVE-2012-5237) - epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x before 1.8.3 uses incorrect OUI data structures during the decoding of (1) PPP and (2) LCP data, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a malformed packet. (CVE-2012-5238) - Buffer overflow in the dissect_tlv function in epan/dissectors/packet-ldp.c in the LDP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malformed packet. (CVE-2012-5240)" ); # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4a913f44" ); # https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-wireshark script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6ccbc2d4" ); script_set_attribute(attribute:"solution", value:"Upgrade to Solaris 11.1.3.4."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:11.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:wireshark"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release", "Host/Solaris11/pkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("solaris.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Solaris11/release"); if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11"); pkg_list = solaris_pkg_list_leaves(); if (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, "Solaris pkg-list packages"); if (empty_or_null(egrep(string:pkg_list, pattern:"^wireshark$"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "wireshark"); flag = 0; if (solaris_check_release(release:"0.5.11-0.175.1.3.0.4.0", sru:"SRU 11.1.3.4.0") > 0) flag++; if (flag) { error_extra = 'Affected package : wireshark\n' + solaris_get_report2(); error_extra = ereg_replace(pattern:"version", replace:"OS version", string:error_extra); if (report_verbosity > 0) security_warning(port:0, extra:error_extra); else security_warning(0); exit(0); } else audit(AUDIT_PACKAGE_NOT_AFFECTED, "wireshark");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A77064141BE711E29AAD902B343DEEC9.NASL description Wireshark reports : The HSRP dissector could go into an infinite loop. The PPP dissector could abort. Martin Wilck discovered an infinite loop in the DRDA dissector. Laurent Butti discovered a buffer overflow in the LDP dissector. last seen 2020-06-01 modified 2020-06-02 plugin id 62649 published 2012-10-22 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62649 title FreeBSD : Wireshark -- Multiple Vulnerabilities (a7706414-1be7-11e2-9aad-902b343deec9) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(62649); script_version("1.7"); script_cvs_date("Date: 2018/11/23 12:49:57"); script_cve_id("CVE-2012-3548", "CVE-2012-5237", "CVE-2012-5238", "CVE-2012-5240"); script_name(english:"FreeBSD : Wireshark -- Multiple Vulnerabilities (a7706414-1be7-11e2-9aad-902b343deec9)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Wireshark reports : The HSRP dissector could go into an infinite loop. The PPP dissector could abort. Martin Wilck discovered an infinite loop in the DRDA dissector. Laurent Butti discovered a buffer overflow in the LDP dissector." ); # http://www.wireshark.org/security/wnpa-sec-2012-26.html script_set_attribute( attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2012-26.html" ); # http://www.wireshark.org/security/wnpa-sec-2012-27.html script_set_attribute( attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2012-27.html" ); # http://www.wireshark.org/security/wnpa-sec-2012-28.html script_set_attribute( attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2012-28.html" ); # http://www.wireshark.org/security/wnpa-sec-2012-29.html script_set_attribute( attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2012-29.html" ); # http://www.wireshark.org/docs/relnotes/wireshark-1.8.3.html script_set_attribute( attribute:"see_also", value:"https://www.wireshark.org/docs/relnotes/wireshark-1.8.3.html" ); # https://vuxml.freebsd.org/freebsd/a7706414-1be7-11e2-9aad-902b343deec9.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?07104c74" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:tshark"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:tshark-lite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wireshark"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wireshark-lite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/02"); script_set_attribute(attribute:"patch_publication_date", value:"2012/10/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/10/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"wireshark<=1.8.2_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"wireshark-lite<=1.8.2_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"tshark<=1.8.2_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"tshark-lite<=1.8.2_1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Oval
| accepted | 2013-08-19T04:01:15.878-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | Buffer overflow in the dissect_tlv function in epan/dissectors/packet-ldp.c in the LDP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malformed packet. | ||||||||
| family | windows | ||||||||
| id | oval:org.mitre.oval:def:15691 | ||||||||
| status | accepted | ||||||||
| submitted | 2012-10-09T15:58:55.334-04:00 | ||||||||
| title | Buffer overflow in the dissect_tlv function in epan/dissectors/packet-ldp.c in the LDP dissector in Wireshark 1.8.x before 1.8.3 | ||||||||
| version | 7 |
References
- http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-ldp.c?r1=44801&r2=44800&pathrev=44801
- http://anonsvn.wireshark.org/viewvc?view=revision&revision=44801
- http://www.securityfocus.com/bid/55754
- http://www.securitytracker.com/id?1027604
- http://www.wireshark.org/security/wnpa-sec-2012-29.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7046
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7567
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15691