CVE-2010-4538
published 2011-01-07CVE-2010-4538: Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.98%
97.9th percentile
Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wireshark | < wireshark 1.2.11-6 (bookworm) | wireshark 1.2.11-6 (bookworm) |
| wireshark | wireshark | — | — |
| wireshark | wireshark | >= 0 < 1.2.11-6 | 1.2.11-6 |
| wireshark | wireshark | >= 0 < 1.2.11-6 | 1.2.11-6 |
| wireshark | wireshark | >= 0 < 1.2.11-6 | 1.2.11-6 |
| wireshark | wireshark | >= 0 < 1.2.11-6 | 1.2.11-6 |
Detection & IOCsextracted from sources · hover to see the quote
commandpython exploit.py <host> — sends crafted ENTTEC DMX UDP packet with RLE-compressed payload to port 3333↗
bytes↗
45534444 10 20 04 00 0c fe ff 41 fe ff 42 fe ff 43 fe ff 44
- →Detect UDP packets to port 3333 beginning with the magic bytes 'ESDD' (0x45534444) followed by RLE-encoded DMX payload bytes (0xFE marker bytes) — characteristic of the PoC exploit for CVE-2010-4538. ↗
- →The vulnerable code path is in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c; crash/exploitation requires Wireshark 1.4.2 to process a crafted ENTTEC DMX packet with RLE compression — monitor for Wireshark crashes when processing UDP traffic on port 3333. ↗
- →The vulnerability can also be triggered by opening a specially-crafted DMX data capture file (pcap) with RLE compression — inspect capture files opened by Wireshark 1.4.2 for ENTTEC DMX frames with RLE-encoded payloads. ↗
- ·The overflow is triggered only when Wireshark's ENTTEC dissector processes packets with RLE compression enabled; the attack surface covers both live UDP capture on port 3333 and offline analysis of crafted capture files. ↗
- ·Exploitation executes arbitrary code with the privileges of the user running Wireshark — deployments running Wireshark as root or elevated user are at highest risk. ↗
- ·The upstream fix is in SVN revision 35318; Debian resolved the issue in package version 1.2.11-6. Ensure Wireshark is patched beyond version 1.4.2. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-62gg-qf9h-q3jx: Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec
ghsa_unreviewed·2022-05-17
CVE-2010-4538 [HIGH] CWE-119 GHSA-62gg-qf9h-q3jx: Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec
Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression.
OSV
CVE-2010-4538: Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec
osv·2011-01-07·CVSS 9.3
CVE-2010-4538 [CRITICAL] CVE-2010-4538: Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec
Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression.
Red Hat
Wireshark: Stack-based array index error in ENTTEC dissector (upstream bug #5539)
vendor_redhat·2010-12-31·CVSS 9.3
CVE-2010-4538 [CRITICAL] Wireshark: Stack-based array index error in ENTTEC dissector (upstream bug #5539)
Wireshark: Stack-based array index error in ENTTEC dissector (upstream bug #5539)
Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression.
Debian
CVE-2010-4538: wireshark - Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-ent...
vendor_debian·2010·CVSS 9.3
CVE-2010-4538 [CRITICAL] CVE-2010-4538: wireshark - Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-ent...
Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression.
Scope: local
bookworm: resolved (fixed in 1.2.11-6)
bullseye: resolved (fixed in 1.2.11-6)
forky: resolved (fixed in 1.2.11-6)
sid: resolved (fixed in 1.2.11-6)
trixie: resolved (fixed in 1.2.11-6)
No detection rules found.
Bugzilla
CVE-2010-4538 Wireshark: Stack-based array index error in ENTTEC dissector (upstream bug #5539)
bugzilla·2011-01-03·CVSS 9.3
CVE-2010-4538 [CRITICAL] CVE-2010-4538 Wireshark: Stack-based array index error in ENTTEC dissector (upstream bug #5539)
CVE-2010-4538 Wireshark: Stack-based array index error in ENTTEC dissector (upstream bug #5539)
An array index error, leading to a stack-based buffer overflow,
was found in the way the ENTTEC dissector of Wireshark network
traffic analyzer processed certain captures.
A remote attacker could use this flaw to cause wireshark executable
to crash or, potentially, execute arbitrary code with the privileges
of the user running wireshark, if the local user opened a
specially-crafted DMX data capture file, with Run Length Encoding (RLE)
used for compression of the DMX signal.
Upstream bug report:
[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5539
Upstream changeset:
[2] http://anonsvn.wireshark.org/viewvc?view=rev&revision=35318
Sample public PoC capture file:
[3] https://bugs.wires
Bugzilla
CVE-2009-4538 kernel: e1000e frame fragment issue
bugzilla·2009-12-29·CVSS 10.0
CVE-2009-4538 [CRITICAL] CVE-2009-4538 kernel: e1000e frame fragment issue
CVE-2009-4538 kernel: e1000e frame fragment issue
Description of problem:
Similar to the second issue that Fab mentioned in his presentation at 26c3, this affects the e1000e driver. See https://bugzilla.redhat.com/show_bug.cgi?id=550907#c0 issue #2 for the description, and this https://bugzilla.redhat.com/show_bug.cgi?id=550907#c4. This bug is filed to make sure we fix this too.
http://www.securityfocus.com/bid/37523
Discussion:
A quick heads up to all the release owners on this bug, the patch I posted upstream for bz 550915 (specifically the e1000 bits) will apply pretty cleanly to e1000e here.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0019 https://rhn.redhat.com/errata/RHSA-2010-0019.html
---
This issue has been addressed
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053042.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/053061.htmlhttp://openwall.com/lists/oss-security/2010/12/31/7http://openwall.com/lists/oss-security/2011/01/03/8http://osvdb.org/70244http://secunia.com/advisories/42767http://secunia.com/advisories/42853http://secunia.com/advisories/42910http://secunia.com/advisories/42914http://www.debian.org/security/2011/dsa-2144http://www.mandriva.com/security/advisories?name=MDVSA-2011:002http://www.redhat.com/support/errata/RHSA-2011-0013.htmlhttp://www.securityfocus.com/bid/45634http://www.securitytracker.com/id?1024930http://www.vupen.com/english/advisories/2011/0008http://www.vupen.com/english/advisories/2011/0053http://www.vupen.com/english/advisories/2011/0069http://www.vupen.com/english/advisories/2011/0079http://www.vupen.com/english/advisories/2011/0099http://www.vupen.com/english/advisories/2011/0110https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5539https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14937http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053042.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/053061.htmlhttp://openwall.com/lists/oss-security/2010/12/31/7http://openwall.com/lists/oss-security/2011/01/03/8http://osvdb.org/70244http://secunia.com/advisories/42767http://secunia.com/advisories/42853http://secunia.com/advisories/42910http://secunia.com/advisories/42914http://www.debian.org/security/2011/dsa-2144http://www.mandriva.com/security/advisories?name=MDVSA-2011:002http://www.redhat.com/support/errata/RHSA-2011-0013.htmlhttp://www.securityfocus.com/bid/45634http://www.securitytracker.com/id?1024930http://www.vupen.com/english/advisories/2011/0008http://www.vupen.com/english/advisories/2011/0053http://www.vupen.com/english/advisories/2011/0069http://www.vupen.com/english/advisories/2011/0079http://www.vupen.com/english/advisories/2011/0099http://www.vupen.com/english/advisories/2011/0110https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5539https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14937
2011-01-07
Published