{"vuid":"VU#676492","idnumber":"676492","name":"Wireshark Endace ERF unsigned integer wrap vulnerability","keywords":["Wireshark","unsigned integer wrap","wireshark","tshark","INT30-CPP","discovery","erf","endace"],"overview":"Wireshark contains an unsigned integer wrap vulnerability that may occur when parsing Endace Extensible Record Format (ERF) files.","clean_desc":"Wireshark is a protocol analyzer that can open or import previously saved files. When processing an Endace ERF file an unsigned integer wrap vulnerability may cause Wireshark to allocate a very large buffer. To exploit this issue, an attacker would have to convince a user to open a crafted ERF file using Wireshark. This issue also affects Tshark, the console version of Wireshark.","impact":"A remote attacker can cause Wireshark to crash. It may be possible, although unlikely, for an attacker to execute arbitrary code. Exploiting the vulnerability could result in a NULL pointer dereference, which can lead to code execution on certain platforms.","resolution":"Update\nWireshark 1.2.2 has been released to address this and other issues.","workarounds":"Do not run Wireshark with root or administrator privileges Running Wireshark with a limited user account will reduce the impact of this and other vulnerabilities.","sysaffected":"","thanks":"This issue was discovered by Ryan Giobbi.","author":"This document was written by Ryan Giobbi and Art Manion.","public":["http://www.wireshark.org/docs/relnotes/wireshark-1.2.2.html","http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?view=markup&pathrev=29364","https://www.securecoding.cert.org/confluence/display/cplusplus/INT30-CPP.+Ensure+that+unsigned+integer+operations+do+not+wrap","http://wiki.wireshark.org/Security#head-ac69042aeeb98cdaed2ec2ff1bd2c983fa03cffd","http://xorl.wordpress.com/2009/11/10/cve-2009-3829-wireshark-endace-erf-protocol-integer-underflow/","http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2009-08-10T19:13:36Z","publicdate":"2009-09-15T00:00:00Z","datefirstpublished":"2009-10-05T15:20:50Z","dateupdated":"2009-11-25T00:09:26Z","revision":27,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"2","cam_population":"4","cam_impact":"10","cam_easeofexploitation":"10","cam_attackeraccessrequired":"10","cam_scorecurrent":"1.275","cam_scorecurrentwidelyknown":"1.65","cam_scorecurrentwidelyknownexploited":"3.15","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"Not Defined (ND)","cvss_reportconfidence":"Not Defined (ND)","cvss_collateraldamagepotential":"Not Defined (ND)","cvss_targetdistribution":"Not Defined (ND)","cvss_securityrequirementscr":"Not Defined (ND)","cvss_securityrequirementsir":"Not Defined (ND)","cvss_securityrequirementsar":"Not Defined (ND)","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)","metric":1.275,"vulnote":null}