=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2005/VULN343
_____________________________________________________________________

DATE                      : 27/05/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Ethereal versions 0.8.14 up to
                               and including 0.10.10.

======================================================================

Name: Multiple problems in Ethereal versions 0.8.14 to 0.10.10
Docid: enpa-sa-00019
Date: May 4, 2005
Versions affected: 0.8.14 up to and including 0.10.10
Severity: High


Description:

An aggressive testing program as well as independent discovery has turned up
a multitude of security issues:

     * The ANSI A dissector was susceptible to format string vulnerabilities.

     * The GSM MAP dissector could crash.

     * The AIM dissector could cause a crash.

     * The DISTCC dissector was susceptible to a buffer overflow.

     * The FCELS dissector was susceptible to a buffer overflow.

     * The SIP dissector was susceptible to a buffer overflow.

     * The KINK dissector was susceptible to a null pointer exception,
       endless looping, and other problems.

     * The LMP dissector was susceptible to an endless loop.

     * The Telnet dissector could abort.

     * The TZSP dissector could cause a segmentation fault.

     * The WSP dissector was susceptible to a null pointer exception and
       assertions.

     * The 802.3 Slow protocols dissector could throw an assertion.

     * The BER dissector could throw assertions

     * The SMB Mailslot dissector was susceptible to a null pointer
       exception and could throw assertions.

     * The H.245 dissector was susceptible to a null pointer exception.

     * The Bittorrent dissector could cause a segmentation fault.

     * The SMB dissector could cause a segmentation fault and throw assertions.

     * The Fibre Channel dissector could cause a crash.

     * The DICOM dissector could attempt to allocate large amounts of memory.

     * The MGCP dissector was susceptible to a null pointer exception, could
       loop indefinitely, and segfault.

     * The RSVP dissector could loop indefinitely.

     * The DHCP dissector was susceptible to format string vulnerabilities,
       and could abort.

     * The SRVLOC dissector could crash unexpectedly or go into an infinite
       loop.

     * The EIGRP dissector could loop indefinitely.

     * The ISIS dissector could overflow a buffer.

     * The CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified,
       and X.509 dissectors could overflow buffers.

     * The NDPS dissector could exhaust system memory or cause an assertion, or
       crash.

     * The Q.931 dissector could try to free a null pointer and overflow a buffer.

     * The IAX2 dissector could throw an assertion.

     * The ICEP dissector could try to free the same memory twice.

     * The MEGACO dissector was susceptible to an infinite loop and a buffer
       overflow.

     * The DLSw dissector was susceptible to an infinite loop.

     * The RPC dissector was susceptible to a null pointer exception.

     * The NCP dissector could overflow a buffer or loop for a large amount of
       time.

     * The RADIUS dissector could throw an assertion.

     * The GSM dissector could access an invalid pointer.

     * The SMB PIPE dissector could throw an assertion.

     * The L2TP dissector was susceptible to an infinite loop.

     * The SMB NETLOGON dissector could dereference a null pointer.

     * The MRDISC dissector could throw an assertion.

     * The ISUP dissector could overflow a buffer or cause a segmentation fault.

     * The LDAP dissector could crash.

     * The TCAP dissector could overflow a buffer or throw an assertion.

     * The NTLMSSP dissector could crash.

     * The Presentation dissector could overflow a buffer.

     * Additionally, a number of dissectors could throw an assertion when passing
       an invalid protocol tree item length.

Impact:

It may be possible to make Ethereal crash, use up available memory, or run
arbitrary code by injecting a purposefully malformed packet onto the wire or
by convincing someone to read a malformed packet trace file.

Resolution:

Upgrade to 0.10.11. Due to the severity and scope of the defects that have
been discovered, no workaround is available.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================