[Zeek-Announce] Bro 2.6.2 release (security update)
Jon Siwek
jsiwek at corelight.com
Thu May 30 09:29:35 PDT 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A security patch release, Bro v2.6.2, is now available for download:
https://www.zeek.org/download/index.html
The following Denial of Service vulnerabilities are addressed:
* Integer type mismatches in BinPAC-generated parser code and Bro
analyzer code may allow for crafted packet data to cause
unintentional code paths in the analysis logic to be taken due to
unsafe integer conversions causing the parser and analysis logic
to each expect different fields to have been parsed. One such
example, reported by Maksim Shudrak, causes the Kerberos analyzer
to dereference a null pointer. CVE-2019-12175 was assigned for
this issue.
* The Kerberos parser allows for several fields to be left
uninitialized, but they were not marked with an &optional attribute
and several usages lacked existence checks. Crafted packet data
could potentially cause an attempt to access such uninitialized
fields, generate a runtime error/exception, and leak memory.
Existence checks and &optional attributes have been added to the
relevent Kerberos fields.
* BinPAC-generated protocol parsers commonly contain fields whose
length is derived from other packet input, and for those that allow
for incremental parsing, BinPAC did not impose a limit on how
large such a field could grow, allowing for remotely-controlled
packet data to cause growth of BinPAC's flowbuffer bounded only
by the numeric limit of an unsigned 64-bit integer, leading
to memory exhaustion. There is now a generalized limit for
how large flowbuffers are allowed to grow, tunable by setting
"BinPAC::flowbuffer_capacity_max".
-----BEGIN PGP SIGNATURE-----
iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAlzvRkwACgkQxotJTfVq
zH4pLA//SO5JEvq1OLU5MFUvaMD2FraqcAsE/nj7+Yt+UbyRqG3NAwdgE19ZmtCb
bRTbHpdnRo+chM+JdtB+alyojgAt0sBtMQyVqMSR2UhQgCn68OJvCT9Qi7FbCI/q
ZqxKYwZ9Lfrgx4EJWnbS2hNhrBsSt9kBtqm/6YsPjyIIk3zt4q5xxJwaAouQIDFy
DxTQqwaIeDNvjjV9HxYkzrWJINt4CzxG512yfXBgX1sRa2rNAhiSGOubd6uFjkWu
WABfzJUDQILN0RiefT8MilEf1OBCcLtUNhVAnIgqkUkmkWm48VZu2Sup6THwU3nU
N3x8XFYBLLbV3+l1dt8fqWAyzBPWs2irQBY2xmPT2xBkq4gQXxlR1Le41b/hZXCJ
azmmDepedm6vfSl2Q0S9wNqEVpFAx98wj7cGZuce4VLom3W0ANl67jchXrzIX2UT
BZ78jc50F8+FM7/yjYsUf+kd5t6zOWGSCq2iraZBDOaNKa1bVKBirbmFySkVuCDt
fKXyLw7OKSsZD18P2SVQWHKv/JdfOTm7SRixm5Sbr+yNFceNU0KTrMSu8WI+4kxE
qpVSjbMqf5XpUWZYygtGZQgg5lsrgArkOWoIfxldGDLpjQM5vUdvY3uJEdOxIsZT
AmdS3SFoorzHPhKywiSANRbGdMn4o8E3y1UCdyoerKrZJoy2ZZc=
=XuB+
-----END PGP SIGNATURE-----
More information about the Zeek-Announce
mailing list