===================================================================== CERT-Renater Note d'Information No. 2006/VULN199 _____________________________________________________________________ DATE : 25/04/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Ethereal versions 0.8.5 to 0.10.14. ====================================================================== Ethereal 0.99.0 has been released. What is Ethereal? Ethereal is the world's most popular network protocol analyzer. It is used for troubleshooting, analysis, development, and education. What's New Bug Fixes Many security vulnerabilities have been fixed since the previous release. See the release notes and application advisory at http://www.ethereal.com/docs/release-notes/ethereal-0.99.0.html http://www.ethereal.com/appnotes/enpa-sa-00023.html for more details. o The H.248 dissector could crash. Versions affected: 0.10.14. CVE: CVE-2006-1937 o The UMA dissector could go into an infinite loop. Versions affected: 0.10.12 - 0.10.14. CVE: CVE-2006-1933 o The X.509if dissector could crash. Versions affected: 0.10.14. CVE: CVE-2006-1937 o The SRVLOC dissector could crash. Versions affected: 0.10.0 - 0.10.14. CVE: CVE-2006-1937 o The H.245 dissector could crash. Versions affected: 0.10.13 - 0.10.14. CVE: CVE-2006-1937 o Ethereal's OID printing routine was susceptible to an off-by-one error. Versions affected: 0.10.14. CVE: CVE-2006-1932 o The COPS dissector could overflow a buffer. Versions affected: 0.9.15 - 0.10.14. CVE: CVE-2006-1935 o The ALCAP dissector could overflow a buffer. Versions affected: 0.10.14. CVE: CVE-2006-1934 Under a grant funded by the U.S. Department of Homeland Security, Coverity has uncovered a number of vulnerabilities in Ethereal: o The statistics counter could crash Ethereal. Versions affected: 0.10.10 - 0.10.14. CVE: CVE-2006-1937 o Ethereal could crash while reading a malformed Sniffer capture. Versions affected: 0.8.12 - 0.10.14. CVE: CVE-2006-1938 o An invalid display filter could crash Ethereal. Versions affected: 0.9.16 - 0.10.14. CVE: CVE-2006-1939 o The general packet dissector could crash Ethereal. Versions affected: 0.10.9 - 0.10.14. CVE: CVE-2006-1937 o The AIM dissector could crash Ethereal. Versions affected: 0.10.7 - 0.10.14. CVE: CVE-2006-1937 o The RPC dissector could crash Ethereal. Versions affected: 0.9.8 - 0.10.14. CVE: CVE-2006-1939 o The DCERPC dissector could crash Ethereal. Versions affected: 0.9.16 - 0.10.14. CVE: CVE-2006-1939 o The ASN.1 dissector could crash Ethereal. Versions affected: 0.9.8 - 0.10.14. CVE: CVE-2006-1939 o The SMB PIPE dissector could crash Ethereal. Versions affected: 0.8.20 - 0.10.14. CVE: CVE-2006-1938 o The BER dissector could loop excessively. Versions affected: 0.10.4 - 0.10.14. CVE: CVE-2006-1933 o The SNDCP dissector could abort. Versions affected: 0.10.4 - 0.10.14. CVE: CVE-2006-1940 o The Network Instruments file code could overrun a buffer. Versions affected: 0.10.0 - 0.10.14. CVE: CVE-2006-1934 o The NetXray/Windows Sniffer file code could overrun a buffer. Versions affected: 0.10.13 - 0.10.14. CVE: CVE-2006-1934 o The GSM SMS dissector could crash Ethereal. Versions affected: 0.9.16 - 0.10.14. CVE: CVE-2006-1939 o The ALCAP dissector could overrun a buffer. Versions affected: 0.10.14. CVE: CVE-2006-1934 o The telnet dissector could overrun a buffer. Versions affected: 0.8.5 - 0.10.14. CVE: CVE-2006-1936 o ASN.1-based dissectors could crash Ethereal. Versions affected: 0.9.10 - 0.10.14. CVE: CVE-2006-1939 o The H.248 dissector could crash Ethereal. Versions affected: 0.10.11 - 0.10.14. CVE: CVE-2006-1937 o The DCERPC NT dissector could crash Ethereal. Versions affected: 0.9.14 - 0.10.14. CVE: CVE-2006-1939 o The PER dissector could crash Ethereal. Versions affected: 0.9.14 - 0.10.14. CVE: CVE-2006-1939 Under Windows, Unicode characters in profile and configuration file paths could cause problems. Versions affected: 0.10.14. The Coverity audit turned up several UI-related bugs that could make Ethereal crash. New and Updated Features The following features are new (or have been significantly updated) since the last release: o The new command line tool dumpcap makes it possible to capture network data without the drawbacks of (t)ethereal (memory usage, security problems, ...) while keeping the benefit of advanced techniques like multiple (ringbuffer) files and alike. The man page of dumpcap in HTML format is available at http://www.ethereal.com/docs/man-pages/dumpcap.1.html. o The source distribution of Ethereal now supports SSL, IPsec ESP, and ISAKMP decryption. (This feature has not yet been enabled in the Windows installer.) o Win32: Catch hardware exceptions caused by buggy dissectors. If e.g. a NULL pointer exceptions occurs, Ethereal won't crash now but displays the exception and tries to continue decoding packets. o The Windows version of Ethereal now uses native open and save file dialogs. In related news, Ethereal now runs as a full-fledged Unicode application under Windows. o Recent versions of Ethereal were flagging packets with an incorrect TCP checksum as malformed. False positives were being triggered on systems that use TCP checksum offloading. We now check to see if the checksum is not 0x0000 before flagging the packet as malformed. Please Note If your system uses TCP checksum offloading and Ethereal still shows bad checksums for outgoing TCP packets and the checksums for outgoing TCP packets are not 0x0000, this could mean that your operating system is exposing kernel memory unnecessarily. If this is the case, you should report the problem to your OS vendor. o The expert analysis feature has been enhanced. New Protocol Support ACP133, E.212, Nortel LGE Monitor, OICQ Updated Protocol Support 3G A11, 802.11, 802.1Q, 802.3 Slow Protocols, AIM, ALCAP, ANSI MAP, ASF, ASN.1 BER, ASN.1 PER, BACapp, BACnet, BFD, BGP, BPDU, BSSAP, BSSGP, Camel, CDP, CLNP, CMP, COPS, DCERPC (DCERPC, LSA, NT, PNP), DCOM (CBA, DCOM, Dispatch), DHCP, DIAMETER, DNS, DOCSIS DCC, eDonkey, Ethernet, FC, FCP, FIX, G.723, GIOP, GRE, GSM A, GSM MAP, GSSAPI, GTP, H.245, H.248, H.450, HTTP, IAPP, ICMPv6, iFCP, IP, IPMI, IPP, IPsec, IPv6, ISAKMP, iSCSI, ISUP, IuUP, Juniper GGSN, JXTA, K12, Kerberos, LAPD, LDAP, LLDP, LOOP, M3UA, MEGACO, MPLS, MS MMS, MS NLB, MS Proxy, MTP3, NBNS, NCP 2222, NDPS, Netflow, NFS, NJACK, NLM, NSIP, NTLMSSP, PN-DCP, POP, PPP, Q.931, Radiotap, RADIUS, RANAP, RNSAP, RPC, RSYNC, RTCP, RTP, SCCP, SCCP MG, SCSI, SDP, Sebek, SES, SIGCOMP, SIGCOMP UDVM, SIP, SKINNY, SMB2, SMB (Mailslot, PIPE, SMB), SMPP, SNDCP, SNMP, SOCKS, SPNEGO, SRVLOC, SSL, STUN, Syslog, T.38, TACACS, TCAP, TCP, TDS, Telnet, TIPC, UDP, UMA, WSP, X11, X.411, X.509, XML New and Updated Capture File Support iSeries, Snoop, Windows Sniffer Getting Ethereal The source code, Windows and Solaris installers can be downloaded immediately from the following locations: Main site: Windows installer: http://www.ethereal.com/distribution/win32/ethereal-setup-0.99.0.exe Source code: http://www.ethereal.com/distribution/ethereal-0.99.0.tar.gz http://www.ethereal.com/distribution/ethereal-0.99.0.tar.bz2 Source RPM: http://www.ethereal.com/distribution/rpms/ Solaris installers: http://www.ethereal.com/distribution/solaris/ SourceForge: http://sourceforge.net/project/showfiles.php?group_id=255 The mirror sites listed at http://www.ethereal.com/download.html#releases should be updated shortly. ------------------------------------------------------------------- Digests ethereal-0.99.0.tar.bz2: 8884587 bytes MD5(ethereal-0.99.0.tar.bz2)=f9905b9d347acdc05af664a7553f7f76 SHA1(ethereal-0.99.0.tar.bz2)=466299ac49f21904ed91b93e81667f226637e868 RIPEMD160(ethereal-0.99.0.tar.bz2)=f86e21ae60d53e1ed60b61e58c2941ecfd4d8696 ethereal-0.99.0.tar.gz: 11284145 bytes MD5(ethereal-0.99.0.tar.gz)=92490abe23df1b2078579c512c788f9d SHA1(ethereal-0.99.0.tar.gz)=a5a824ed3b4d0c5511441cc924e8333a8628bc7a RIPEMD160(ethereal-0.99.0.tar.gz)=33a19a57fb1df3455d693bc7731ad543972fd8c6 ethereal-setup-0.99.0.exe: 13053058 bytes MD5(ethereal-setup-0.99.0.exe)=c61cd84500b60adc045e548dd1b2c228 SHA1(ethereal-setup-0.99.0.exe)=39b25256757ffc59c0577aa3291bbf8673e83a1c RIPEMD160(ethereal-setup-0.99.0.exe)=a35343c2679f3bbf30871fa8bf9d66211a5390fa ethereal-0.99.0-1.src.rpm: 11268280 bytes MD5(ethereal-0.99.0-1.src.rpm)=060b7b9d416a9d3d7a35e9ffc359f588 SHA1(ethereal-0.99.0-1.src.rpm)=d3827a3a1c53d8648739b7471e45ca5146f1b2f7 RIPEMD160(ethereal-0.99.0-1.src.rpm)=e87d6f119ccb84be9c24e035b4ee55503d36fc98 ethereal-0.99.0-solaris2.8-sparc-local.bz2: 13737042 bytes MD5(ethereal-0.99.0-solaris2.8-sparc-local.bz2)=400fecaa17006b08e33befa936f2b54a SHA1(ethereal-0.99.0-solaris2.8-sparc-local.bz2)=299038e4e7df73e20eed67f7d78c4959ac317b45 RIPEMD160(ethereal-0.99.0-solaris2.8-sparc-local.bz2)=5004e9ff5918ed37033815af7060f59a4722f781 ethereal-0.99.0-solaris2.9-sparc-local.bz2: 13725364 bytes MD5(ethereal-0.99.0-solaris2.9-sparc-local.bz2)=7c406279bcb13141642921edb7a9c05b SHA1(ethereal-0.99.0-solaris2.9-sparc-local.bz2)=06d0d3caa91967b52ce09c5cd7d7ad197d35b8f0 RIPEMD160(ethereal-0.99.0-solaris2.9-sparc-local.bz2)=3e12a434497379524676f0a50d833f9fed74ed84 patch-ethereal-0.10.14-to-0.99.0.diff.bz2: 1282447 bytes MD5(patch-ethereal-0.10.14-to-0.99.0.diff.bz2)=64ed94711c4f7e1e1b81111d81cbf938 SHA1(patch-ethereal-0.10.14-to-0.99.0.diff.bz2)=72fd5b423082266689380335430e78fec13ac76c RIPEMD160(patch-ethereal-0.10.14-to-0.99.0.diff.bz2)=e4b522ca7acbbcc1b5ca560cbbfb84a9862171cb ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================