Vulnerability Details : CVE-2014-2282
The dissect_protocol_data_parameter function in epan/dissectors/packet-m3ua.c in the M3UA dissector in Wireshark 1.10.x before 1.10.6 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted SS7 MTP3 packet.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2014-2282
- cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2282
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2282
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-2282
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2282
-
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9699
Bug Access Denied
-
http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-m3ua.c?r1=51608&r2=51607&pathrev=51608
code.wireshark Code Review - wireshark.git/treePatch
-
http://www.wireshark.org/security/wnpa-sec-2014-02.html
Wireshark · wnpa-sec-2014-02 · M3UA dissector crashVendor Advisory
-
http://www.securitytracker.com/id/1029907
Wireshark NFS/M3UA/RLC Dissector Bugs Let Remote Users Deny Service and MPEG Buffer Overflow Lets Remote Users Execute Arbitrary Code - SecurityTracker
-
http://lists.opensuse.org/opensuse-updates/2014-03/msg00046.html
openSUSE-SU-2014:0382-1: moderate: wireshark to 1.8.13/1.10.6
-
http://anonsvn.wireshark.org/viewvc?view=revision&revision=51608
code.wireshark Code Review - wireshark.git/treePatch
-
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_wireshark10
Multiple vulnerabilities in Wireshark | Oracle Third Party Vulnerability Resolution Blog
Jump to