Vulnerabilities > CVE-2015-0560 - Data Processing Errors vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize certain data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- XML Nested Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
- XML Oversized Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
- XML Client-Side Attack Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
- XML Parser Attack Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Nessus
NASL family Windows NASL id WIRESHARK_1_12_3.NASL description The remote Windows host has a version of Wireshark installed that is 1.10.x prior to 1.10.12 or 1.12.x prior to 1.12.3. It is, therefore, affected by multiple denial of service vulnerabilities in the following dissectors : - DEC DNA Routing (CVE-2015-0562) - LPP (CVE-2015-0561) - SMTP (CVE-2015-0563) - WCCP (CVE-2015-0559, CVE-2015-0560) - A denial of service vulnerability also exists related to a buffer underflow error in TLS/SSL session decryption. (CVE-2015-0564) A remote attacker, using a specially crafted packet or malformed pcap file, can exploit these to cause the application to crash. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 80459 published 2015-01-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80459 title Wireshark 1.10.x < 1.10.12 / 1.12.x < 1.12.3 Multiple DoS Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(80459); script_version("1.7"); script_cvs_date("Date: 2019/11/25"); script_cve_id( "CVE-2015-0559", "CVE-2015-0560", "CVE-2015-0561", "CVE-2015-0562", "CVE-2015-0563", "CVE-2015-0564" ); script_bugtraq_id( 71916, 71917, 71918, 71919, 71921, 71922 ); script_name(english:"Wireshark 1.10.x < 1.10.12 / 1.12.x < 1.12.3 Multiple DoS Vulnerabilities"); script_summary(english:"Checks the version of Wireshark."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains an application that is affected by multiple denial of service vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host has a version of Wireshark installed that is 1.10.x prior to 1.10.12 or 1.12.x prior to 1.12.3. It is, therefore, affected by multiple denial of service vulnerabilities in the following dissectors : - DEC DNA Routing (CVE-2015-0562) - LPP (CVE-2015-0561) - SMTP (CVE-2015-0563) - WCCP (CVE-2015-0559, CVE-2015-0560) - A denial of service vulnerability also exists related to a buffer underflow error in TLS/SSL session decryption. (CVE-2015-0564) A remote attacker, using a specially crafted packet or malformed pcap file, can exploit these to cause the application to crash. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2015-01.html"); script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2015-02.html"); script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2015-03.html"); script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2015-04.html"); script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2015-05.html"); script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/docs/relnotes/wireshark-1.10.12.html"); script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/docs/relnotes/wireshark-1.12.3.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Wireshark version 1.10.12 / 1.12.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0564"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/07"); script_set_attribute(attribute:"patch_publication_date", value:"2015/01/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wireshark:wireshark"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("wireshark_installed.nasl"); script_require_keys("installed_sw/Wireshark"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app_name = "Wireshark"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); version = install['version']; path = install['path']; fixed_version = FALSE; # Affected : # 1.10.x < 1.10.12 # 1.12.x < 1.12.3 if (version =~ "^1\.10\.(\d|1[01])($|[^0-9])") fixed_version = "1.10.12"; else if (version =~ "^1\.12\.[0-2]($|[^0-9])") fixed_version = "1.12.3"; else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path); if (fixed_version) { port = get_kb_item("SMB/transport"); if (!port) port = 445; if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);NASL family SuSE Local Security Checks NASL id SUSE_11_WIRESHARK-150205.NASL description wireshark has been updated to version 1.10.12 to fix six security issues : - The WCCP dissector could crash. (bnc#912365). (CVE-2015-0559 / CVE-2015-0560) - The LPP dissector could crash. (bnc#912368). (CVE-2015-0561) - The DEC DNA Routing Protocol dissector could crash. (bnc#912369). (CVE-2015-0562) - The SMTP dissector could crash. (bnc#912370). (CVE-2015-0563) - Wireshark could crash while decypting TLS/SSL sessions (bnc#912372) Further bug fixes and updated protocol support as listed in:. (CVE-2015-0564) https://www.wireshark.org/docs/relnotes/wireshark-1.10.12.html last seen 2020-06-01 modified 2020-06-02 plugin id 81642 published 2015-03-05 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81642 title SuSE 11.3 Security Update : wireshark (SAT Patch Number 10279) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(81642); script_version("$Revision: 1.4 $"); script_cvs_date("$Date: 2015/03/14 19:33:40 $"); script_cve_id("CVE-2015-0559", "CVE-2015-0560", "CVE-2015-0561", "CVE-2015-0562", "CVE-2015-0563", "CVE-2015-0564"); script_name(english:"SuSE 11.3 Security Update : wireshark (SAT Patch Number 10279)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing a security update." ); script_set_attribute( attribute:"description", value: "wireshark has been updated to version 1.10.12 to fix six security issues : - The WCCP dissector could crash. (bnc#912365). (CVE-2015-0559 / CVE-2015-0560) - The LPP dissector could crash. (bnc#912368). (CVE-2015-0561) - The DEC DNA Routing Protocol dissector could crash. (bnc#912369). (CVE-2015-0562) - The SMTP dissector could crash. (bnc#912370). (CVE-2015-0563) - Wireshark could crash while decypting TLS/SSL sessions (bnc#912372) Further bug fixes and updated protocol support as listed in:. (CVE-2015-0564) https://www.wireshark.org/docs/relnotes/wireshark-1.10.12.html" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=912365" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=912368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=912369" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=912370" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=912372" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2015-0559.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2015-0560.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2015-0561.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2015-0562.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2015-0563.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2015-0564.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 10279."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:wireshark"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2015/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3"); flag = 0; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"wireshark-1.10.12-0.2.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"wireshark-1.10.12-0.2.1")) flag++; if (rpm_check(release:"SLES11", sp:3, reference:"wireshark-1.10.12-0.2.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-52.NASL description This update fixes the following security issues : + The WCCP dissector could crash wnpa-sec-2015-01 CVE-2015-0559 CVE-2015-0560 [boo#912365] + The LPP dissector could crash. wnpa-sec-2015-02 CVE-2015-0561 [boo#912368] + The DEC DNA Routing Protocol dissector could crash. wnpa-sec-2015-03 CVE-2015-0562 [boo#912369] + The SMTP dissector could crash. wnpa-sec-2015-04 CVE-2015-0563 [boo#912370] + Wireshark could crash while decypting TLS/SSL sessions. wnpa-sec-2015-05 CVE-2015-0564 [boo#912372] last seen 2020-06-05 modified 2015-01-26 plugin id 80986 published 2015-01-26 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80986 title openSUSE Security Update : wireshark (openSUSE-SU-2015:0113-1)
References
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10806
- http://www.wireshark.org/security/wnpa-sec-2015-01.html
- http://secunia.com/advisories/62612
- http://lists.opensuse.org/opensuse-updates/2015-01/msg00053.html
- https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=a442a1c0e815fd61416cf408bd74d85a042ccc6a