SB2020011602 - Multiple vulnerabilities in Wireshark
Published: January 16, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2020-7045)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the BT ATT dissector. A remote attacker can send specially crafted data and crash the application.
2) Off-by-one (CVE-ID: CVE-2020-7044)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an off-by-one error within the WASSP dissector. A remote attacker can send specially crafted network traffic, trigger an off-by-one error and crash the application.
Remediation
Install update from vendor's website.
References
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16258
- https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=01f261de41f4dd3233ef578e5c0ffb9c25c7d14d
- https://www.wireshark.org/security/wnpa-sec-2020-02.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16324
- https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f90a3720b73ca140403315126e2a478c4f70ca03
- https://www.wireshark.org/security/wnpa-sec-2020-01.html