Wireshark up to 1.10.1 ASSA R3 Dissector infinite resource management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.7 | $0-$5k | 0.00 |
Summary
A vulnerability identified as problematic has been detected in Wireshark up to 1.10.1. Affected by this vulnerability is an unknown functionality of the file infinite of the component ASSA R3 Dissector. This manipulation causes resource management. This vulnerability is registered as CVE-2013-5719. No exploit is available. You should upgrade the affected component.
Details
A vulnerability was found in Wireshark up to 1.10.1 (Packet Analyzer Software). It has been declared as critical. Affected by this vulnerability is some unknown functionality of the file infinite of the component ASSA R3 Dissector. The manipulation with an unknown input leads to a resource management vulnerability. The CWE definition for the vulnerability is CWE-399. As an impact it is known to affect integrity, and availability. The summary by CVE is:
epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.
The weakness was published 09/11/2013 by Ben Schmidt as wnpa-sec-2013-56 · ASSA R3 dissector infinite loop as confirmed advisory (Website). The advisory is shared at wireshark.org. The public release has been coordinated with the project team. This vulnerability is known as CVE-2013-5719 since 09/11/2013. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available.
The vulnerability scanner Nessus provides a plugin with the ID 71488 (GLSA-201312-13 : Wireshark: Multiple vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Gentoo Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 166363 (OpenSuSE Security Update for Wireshark (openSUSE-SU-2013:1481-1)).
Upgrading to version 1.10.2 eliminates this vulnerability. The upgrade is hosted for download at wireshark.org. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (87019), Tenable (71488), SecurityFocus (BID 62318†), OSVDB (97222†) and Secunia (SA54765†). Additional details are provided at wireshark.org. Similar entries are available at VDB-10266, VDB-10280, VDB-10281 and VDB-10282. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Name
Version
License
Website
- Product: https://www.wireshark.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.1VulDB Meta Temp Score: 8.7
VulDB Base Score: 9.1
VulDB Temp Score: 8.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 71488
Nessus Name: GLSA-201312-13 : Wireshark: Multiple vulnerabilities
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 802903
OpenVAS Name: Wireshark Multiple Vulnerabilities-01 Sep13 (Windows)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Wireshark 1.10.2
Timeline
09/10/2013 🔍09/10/2013 🔍
09/11/2013 🔍
09/11/2013 🔍
09/11/2013 🔍
09/11/2013 🔍
09/16/2013 🔍
09/16/2013 🔍
09/22/2013 🔍
05/24/2021 🔍
Sources
Product: wireshark.orgAdvisory: wnpa-sec-2013-56 · ASSA R3 dissector infinite loop
Researcher: Ben Schmidt
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2013-5719 (🔍)
GCVE (CVE): GCVE-0-2013-5719
GCVE (VulDB): GCVE-100-10285
OVAL: 🔍
IAVM: 🔍
X-Force: 87019
SecurityFocus: 62318 - Wireshark ASSA R3 Dissector CVE-2013-5719 Denial of Service Vulnerability
Secunia: 54765 - Wireshark Multiple Vulnerabilities, Highly Critical
OSVDB: 97222
Vulnerability Center: 41565 - Wireshark ASSA R3 Dissector Allows Remote DoS via a Crafted Packet, Medium
Misc.: 🔍
See also: 🔍
Entry
Created: 09/16/2013 12:32Updated: 05/24/2021 17:16
Changes: 09/16/2013 12:32 (87), 05/11/2017 08:59 (3), 05/24/2021 17:16 (3)
Complete: 🔍
Committer:
Cache ID: 216:E6F:103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.