RHEL 7 : wireshark (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory wireshark. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196709);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-2523",
    "CVE-2016-2530",
    "CVE-2016-2531",
    "CVE-2016-2532",
    "CVE-2016-4006",
    "CVE-2016-4076",
    "CVE-2016-4077",
    "CVE-2016-4078",
    "CVE-2016-4079",
    "CVE-2016-4080",
    "CVE-2016-4081",
    "CVE-2016-4082",
    "CVE-2016-4083",
    "CVE-2016-4084",
    "CVE-2016-4085",
    "CVE-2016-4417",
    "CVE-2016-4418",
    "CVE-2016-4421",
    "CVE-2016-5350",
    "CVE-2016-5351",
    "CVE-2016-5352",
    "CVE-2016-5353",
    "CVE-2016-5354",
    "CVE-2016-5355",
    "CVE-2016-5356",
    "CVE-2016-5357",
    "CVE-2016-5358",
    "CVE-2016-5359",
    "CVE-2016-6505",
    "CVE-2016-6506",
    "CVE-2016-6507",
    "CVE-2016-6508",
    "CVE-2016-6509",
    "CVE-2016-6510",
    "CVE-2016-6511",
    "CVE-2016-6512",
    "CVE-2016-6513",
    "CVE-2016-7175",
    "CVE-2016-7176",
    "CVE-2016-7177",
    "CVE-2016-7178",
    "CVE-2016-7179",
    "CVE-2016-7180",
    "CVE-2016-7957",
    "CVE-2016-7958",
    "CVE-2016-9372",
    "CVE-2016-9373",
    "CVE-2016-9374",
    "CVE-2016-9375",
    "CVE-2016-9376",
    "CVE-2017-5596",
    "CVE-2017-5597",
    "CVE-2017-6014",
    "CVE-2017-6467",
    "CVE-2017-6468",
    "CVE-2017-6469",
    "CVE-2017-6470",
    "CVE-2017-6471",
    "CVE-2017-6472",
    "CVE-2017-6473",
    "CVE-2017-6474",
    "CVE-2017-7700",
    "CVE-2017-7701",
    "CVE-2017-7702",
    "CVE-2017-7703",
    "CVE-2017-7704",
    "CVE-2017-7705",
    "CVE-2017-7745",
    "CVE-2017-7746",
    "CVE-2017-7747",
    "CVE-2017-7748",
    "CVE-2017-9343",
    "CVE-2017-9344",
    "CVE-2017-9345",
    "CVE-2017-9346",
    "CVE-2017-9347",
    "CVE-2017-9348",
    "CVE-2017-9349",
    "CVE-2017-9350",
    "CVE-2017-9351",
    "CVE-2017-9352",
    "CVE-2017-9353",
    "CVE-2017-9354",
    "CVE-2017-9616",
    "CVE-2017-9617",
    "CVE-2017-9766",
    "CVE-2017-11406",
    "CVE-2017-11407",
    "CVE-2017-11408",
    "CVE-2017-11409",
    "CVE-2017-11410",
    "CVE-2017-11411",
    "CVE-2017-13764",
    "CVE-2017-13765",
    "CVE-2017-13766",
    "CVE-2017-13767",
    "CVE-2017-15189",
    "CVE-2017-15190",
    "CVE-2017-15191",
    "CVE-2017-15192",
    "CVE-2017-15193",
    "CVE-2017-17083",
    "CVE-2017-17084",
    "CVE-2017-17085",
    "CVE-2017-17935",
    "CVE-2017-17997",
    "CVE-2018-5334",
    "CVE-2018-5335",
    "CVE-2018-5336",
    "CVE-2018-6836",
    "CVE-2018-11358",
    "CVE-2018-19625",
    "CVE-2019-9209",
    "CVE-2020-26421",
    "CVE-2021-22207",
    "CVE-2023-0411",
    "CVE-2023-0412",
    "CVE-2023-0413",
    "CVE-2023-0414",
    "CVE-2023-0415",
    "CVE-2023-0416",
    "CVE-2023-0417",
    "CVE-2023-0666",
    "CVE-2023-0668",
    "CVE-2023-1161",
    "CVE-2023-1992",
    "CVE-2023-1993",
    "CVE-2023-1994",
    "CVE-2023-2854",
    "CVE-2023-2855",
    "CVE-2023-2856",
    "CVE-2023-2857",
    "CVE-2023-2858",
    "CVE-2023-2906",
    "CVE-2023-2952",
    "CVE-2023-4511",
    "CVE-2023-4512",
    "CVE-2023-4513",
    "CVE-2023-5371",
    "CVE-2023-6174",
    "CVE-2023-6175",
    "CVE-2024-2955"
  );

  script_name(english:"RHEL 7 : wireshark (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - wireshark: free operation on an uninitialized memory address in wiretap/netmon.c (CVE-2018-6836)

  - The dnp3_al_process_object function in epan/dissectors/packet-dnp.c in the DNP3 dissector in Wireshark
    1.12.x before 1.12.10 and 2.0.x before 2.0.2 allows remote attackers to cause a denial of service
    (infinite loop) via a crafted packet. (CVE-2016-2523)

  - The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark
    1.12.x before 1.12.10 and 2.0.x before 2.0.2 mishandles the case of an unrecognized TLV type, which allows
    remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted
    packet, a different vulnerability than CVE-2016-2531. (CVE-2016-2530)

  - Off-by-one error in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.10
    and 2.0.x before 2.0.2 allows remote attackers to cause a denial of service (out-of-bounds read and
    application crash) via a crafted packet that triggers a 0xff tag value, a different vulnerability than
    CVE-2016-2530. (CVE-2016-2531)

  - The dissect_llrp_parameters function in epan/dissectors/packet-llrp.c in the LLRP dissector in Wireshark
    1.12.x before 1.12.10 and 2.0.x before 2.0.2 does not limit the recursion depth, which allows remote
    attackers to cause a denial of service (memory consumption or application crash) via a crafted packet.
    (CVE-2016-2532)

  - epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not limit the protocol-tree
    depth, which allows remote attackers to cause a denial of service (stack memory consumption and
    application crash) via a crafted packet. (CVE-2016-4006)

  - epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 2.0.x before 2.0.3 does not properly
    initialize memory for search patterns, which allows remote attackers to cause a denial of service
    (application crash) via a crafted packet. (CVE-2016-4076)

  - epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on incorrect special-case handling of
    truncated Tvb data structures, which allows remote attackers to cause a denial of service (use-after-free
    and application crash) via a crafted packet. (CVE-2016-4077)

  - The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not properly
    restrict element lists, which allows remote attackers to cause a denial of service (deep recursion and
    application crash) via a crafted packet, related to epan/dissectors/packet-capwap.c and
    epan/dissectors/packet-ieee80211.c. (CVE-2016-4078)

  - epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before
    2.0.3 does not verify BER identifiers, which allows remote attackers to cause a denial of service (out-of-
    bounds write and application crash) via a crafted packet. (CVE-2016-4079)

  - epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before
    2.0.3 misparses timestamp fields, which allows remote attackers to cause a denial of service (out-of-
    bounds read and application crash) via a crafted packet. (CVE-2016-4080)

  - epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before
    2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service
    (infinite loop) via a crafted packet. (CVE-2016-4081)

  - epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x
    before 2.0.3 uses the wrong variable to index an array, which allows remote attackers to cause a denial of
    service (out-of-bounds access and application crash) via a crafted packet. (CVE-2016-4082)

  - epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 does not ensure
    that data is available before array allocation, which allows remote attackers to cause a denial of service
    (application crash) via a crafted packet. (CVE-2016-4083)

  - Integer signedness error in epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x
    before 2.0.3 allows remote attackers to cause a denial of service (integer overflow and application crash)
    via a crafted packet that triggers an unexpected array size. (CVE-2016-4084)

  - Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x
    before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have
    unspecified other impact via a long string in a packet. (CVE-2016-4085)

  - Off-by-one error in epan/dissectors/packet-gsm_abis_oml.c in the GSM A-bis OML dissector in Wireshark
    1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer
    over-read and application crash) via a crafted packet that triggers a 0xff tag value. (CVE-2016-4417)

  - epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before
    2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a
    crafted packet that triggers an empty set. (CVE-2016-4418)

  - epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before
    2.0.2 allows remote attackers to cause a denial of service (deep recursion, stack consumption, and
    application crash) via a packet that specifies deeply nested data. (CVE-2016-4421)

  - epan/dissectors/packet-dcerpc-spoolss.c in the SPOOLS component in Wireshark 1.12.x before 1.12.12 and 2.x
    before 2.0.4 mishandles unexpected offsets, which allows remote attackers to cause a denial of service
    (infinite loop) via a crafted packet. (CVE-2016-5350)

  - epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4
    mishandles the lack of an EAPOL_RSN_KEY, which allows remote attackers to cause a denial of service
    (application crash) via a crafted packet. (CVE-2016-5351)

  - epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.4 mishandles certain length
    values, which allows remote attackers to cause a denial of service (application crash) via a crafted
    packet. (CVE-2016-5352)

  - epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.12 and 2.x
    before 2.0.4 mishandles the reserved C/T value, which allows remote attackers to cause a denial of service
    (application crash) via a crafted packet. (CVE-2016-5353)

  - The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which
    allows remote attackers to cause a denial of service (application crash) via a crafted packet.
    (CVE-2016-5354)

  - wiretap/toshiba.c in the Toshiba file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4
    mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service
    (application crash) via a crafted file. (CVE-2016-5355)

  - wiretap/cosine.c in the CoSine file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4
    mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service
    (application crash) via a crafted file. (CVE-2016-5356)

  - wiretap/netscreen.c in the NetScreen file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4
    mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service
    (application crash) via a crafted file. (CVE-2016-5357)

  - epan/dissectors/packet-pktap.c in the Ethernet dissector in Wireshark 2.x before 2.0.4 mishandles the
    packet-header data type, which allows remote attackers to cause a denial of service (application crash)
    via a crafted packet. (CVE-2016-5358)

  - epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 1.12.x before 1.12.12 mishandles
    offsets, which allows remote attackers to cause a denial of service (integer overflow and infinite loop)
    via a crafted packet. (CVE-2016-5359)

  - epan/dissectors/packet-packetbb.c in the PacketBB dissector in Wireshark 1.12.x before 1.12.13 and 2.x
    before 2.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and application
    crash) via a crafted packet. (CVE-2016-6505)

  - epan/dissectors/packet-wsp.c in the WSP dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5
    allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. (CVE-2016-6506)

  - epan/dissectors/packet-mmse.c in the MMSE dissector in Wireshark 1.12.x before 1.12.13 allows remote
    attackers to cause a denial of service (infinite loop) via a crafted packet. (CVE-2016-6507)

  - epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5
    uses an incorrect integer data type, which allows remote attackers to cause a denial of service (large
    loop) via a crafted packet. (CVE-2016-6508)

  - epan/dissectors/packet-ldss.c in the LDSS dissector in Wireshark 1.12.x before 1.12.13 and 2.x before
    2.0.5 mishandles conversations, which allows remote attackers to cause a denial of service (application
    crash) via a crafted packet. (CVE-2016-6509)

  - Off-by-one error in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13
    and 2.x before 2.0.5 allows remote attackers to cause a denial of service (stack-based buffer overflow and
    application crash) via a crafted packet. (CVE-2016-6510)

  - epan/proto.c in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a
    denial of service (OpenFlow dissector large loop) via a crafted packet. (CVE-2016-6511)

  - epan/dissectors/packet-wap.c in Wireshark 2.x before 2.0.5 omits an overflow check in the tvb_get_guintvar
    function, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet,
    related to the MMSE, WAP, WBXML, and WSP dissectors. (CVE-2016-6512)

  - epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 2.x before 2.0.5 does not restrict the
    recursion depth, which allows remote attackers to cause a denial of service (application crash) via a
    crafted packet. (CVE-2016-6513)

  - epan/dissectors/packet-qnet6.c in the QNX6 QNET dissector in Wireshark 2.x before 2.0.6 mishandles MAC
    address data, which allows remote attackers to cause a denial of service (out-of-bounds read and
    application crash) via a crafted packet. (CVE-2016-7175)

  - epan/dissectors/packet-h225.c in the H.225 dissector in Wireshark 2.x before 2.0.6 calls snprintf with one
    of its input buffers as the output buffer, which allows remote attackers to cause a denial of service
    (copy overlap and application crash) via a crafted packet. (CVE-2016-7176)

  - epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector in Wireshark 2.x before 2.0.6
    does not restrict the number of channels, which allows remote attackers to cause a denial of service
    (buffer over-read and application crash) via a crafted packet. (CVE-2016-7177)

  - epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 2.x before 2.0.6 does not ensure
    that memory is allocated for certain data structures, which allows remote attackers to cause a denial of
    service (invalid write access and application crash) via a crafted packet. (CVE-2016-7178)

  - Stack-based buffer overflow in epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector
    in Wireshark 2.x before 2.0.6 allows remote attackers to cause a denial of service (application crash) via
    a crafted packet. (CVE-2016-7179)

  - epan/dissectors/packet-ipmi-trace.c in the IPMI trace dissector in Wireshark 2.x before 2.0.6 does not
    properly consider whether a string is constant, which allows remote attackers to cause a denial of service
    (use-after-free and application crash) via a crafted packet. (CVE-2016-7180)

  - In Wireshark 2.2.0, the Bluetooth L2CAP dissector could crash, triggered by packet injection or a
    malformed capture file. This was addressed in epan/dissectors/packet-btl2cap.c by avoiding use of a seven-
    byte memcmp for potentially shorter strings. (CVE-2016-7957)

  - In Wireshark 2.2.0, the NCP dissector could crash, triggered by packet injection or a malformed capture
    file. This was addressed in epan/dissectors/CMakeLists.txt by registering this dissector. (CVE-2016-7958)

  - In Wireshark 2.2.0 to 2.2.1, the Profinet I/O dissector could loop excessively, triggered by network
    traffic or a capture file. This was addressed in plugins/profinet/packet-pn-rtc-one.c by rejecting input
    with too many I/O objects. (CVE-2016-9372)

  - In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DCERPC dissector could crash with a use-after-free,
    triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dcerpc-nt.c
    and epan/dissectors/packet-dcerpc-spoolss.c by using the wmem file scope for private strings.
    (CVE-2016-9373)

  - In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector could crash with a buffer over-read,
    triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-alljoyn.c by
    ensuring that a length variable properly tracked the state of a signature variable. (CVE-2016-9374)

  - In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DTN dissector could go into an infinite loop,
    triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dtn.c by
    checking whether SDNV evaluation was successful. (CVE-2016-9375)

  - In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the OpenFlow dissector could crash with memory exhaustion,
    triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-openflow_v5.c
    by ensuring that certain length values were sufficiently large. (CVE-2016-9376)

  - In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector could go into an infinite loop. This
    was addressed in plugins/docsis/packet-docsis.c by rejecting invalid Frame Control parameter values.
    (CVE-2017-11406)

  - In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector could crash. This was addressed in
    epan/dissectors/packet-mq.c by validating the fragment length before a reassembly attempt.
    (CVE-2017-11407)

  - In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector could crash. This was addressed in
    epan/dissectors/packet-amqp.c by checking for successful list dissection. (CVE-2017-11408)

  - In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go into a large loop. This was addressed in
    epan/dissectors/packet-gprs-llc.c by using a different integer data type. (CVE-2017-11409)

  - In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML dissector could go into an infinite loop,
    triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-
    wbxml.c by adding validation of the relationships between indexes and lengths. NOTE: this vulnerability
    exists because of an incomplete fix for CVE-2017-7702. (CVE-2017-11410)

  - In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the openSAFETY dissector could crash or exhaust
    system memory. This was addressed in epan/dissectors/packet-opensafety.c by adding length validation.
    NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-9350. (CVE-2017-11411)

  - In Wireshark 2.4.0, the Modbus dissector could crash with a NULL pointer dereference. This was addressed
    in epan/dissectors/packet-mbtcp.c by adding length validation. (CVE-2017-13764)

  - In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM dissector has a buffer over-read and
    application crash. This was addressed in plugins/irda/packet-ircomm.c by adding length validation.
    (CVE-2017-13765)

  - In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector could crash with an out-of-bounds write.
    This was addressed in plugins/profinet/packet-dcerpc-pn-io.c by adding string validation. (CVE-2017-13766)

  - In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP dissector could go into an infinite
    loop. This was addressed in epan/dissectors/packet-msdp.c by adding length validation. (CVE-2017-13767)

  - In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in
    plugins/docsis/packet-docsis.c by adding decrements. (CVE-2017-15189)

  - In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-
    rtsp.c by correcting the scope of a variable. (CVE-2017-15190)

  - In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was
    addressed in epan/dissectors/packet-dmp.c by validating a string length. (CVE-2017-15191)

  - In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in
    epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same
    encapsulation level. (CVE-2017-15192)

  - In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory.
    This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach.
    (CVE-2017-15193)

  - In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector could crash. This was addressed in
    epan/dissectors/packet-netbios.c by ensuring that write operations are bounded by the beginning of a
    buffer. (CVE-2017-17083)

  - In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA dissector could crash. This was addressed
    in epan/dissectors/packet-iwarp-mpa.c by validating a ULPDU length. (CVE-2017-17084)

  - In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety dissector could crash. This was addressed
    in epan/dissectors/packet-cipsafety.c by validating the packet length. (CVE-2017-17085)

  - The File_read_line function in epan/wslua/wslua_file.c in Wireshark through 2.2.11 does not properly strip
    '\n' characters, which allows remote attackers to cause a denial of service (buffer underflow and
    application crash) via a crafted packet that triggers the attempted processing of an empty line.
    (CVE-2017-17935)

  - In Wireshark before 2.2.12, the MRDISC dissector misuses a NULL pointer and crashes. This was addressed in
    epan/dissectors/packet-mrdisc.c by validating an IPv4 address. This vulnerability is similar to
    CVE-2017-9343. (CVE-2017-17997)

  - In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX dissector could go into an infinite loop,
    triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-
    asterix.c by changing a data type to avoid an integer overflow. (CVE-2017-5596)

  - In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 dissector could go into a large loop, triggered
    by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-dhcpv6.c by
    changing a data type to avoid an integer overflow. (CVE-2017-5597)

  - In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite
    loop and memory exhaustion. If the packet size field in a packet header is null, the offset to read from
    will not advance, causing continuous attempts to read the same zero length packet. This will quickly
    exhaust all system memory. (CVE-2017-6014)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a Netscaler file parser infinite loop, triggered
    by a malformed capture file. This was addressed in wiretap/netscaler.c by changing the restrictions on
    file size. (CVE-2017-6467)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler file parser crash, triggered by a
    malformed capture file. This was addressed in wiretap/netscaler.c by validating the relationship between
    pages and records. (CVE-2017-6468)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an LDSS dissector crash, triggered by packet
    injection or a malformed capture file. This was addressed in epan/dissectors/packet-ldss.c by ensuring
    that memory is allocated for a certain data structure. (CVE-2017-6469)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an IAX2 infinite loop, triggered by packet
    injection or a malformed capture file. This was addressed in epan/dissectors/packet-iax2.c by constraining
    packet lateness. (CVE-2017-6470)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a WSP infinite loop, triggered by packet
    injection or a malformed capture file. This was addressed in epan/dissectors/packet-wsp.c by validating
    the capability length. (CVE-2017-6471)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an RTMPT dissector infinite loop, triggered by
    packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-rtmpt.c by
    properly incrementing a certain sequence value. (CVE-2017-6472)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a K12 file parser crash, triggered by a
    malformed capture file. This was addressed in wiretap/k12.c by validating the relationships between
    lengths and offsets. (CVE-2017-6473)

  - In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler file parser infinite loop, triggered
    by a malformed capture file. This was addressed in wiretap/netscaler.c by validating record sizes.
    (CVE-2017-6474)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the NetScaler file parser could go into an infinite loop,
    triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by ensuring a nonzero
    record size. (CVE-2017-7700)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the BGP dissector could go into an infinite loop,
    triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-
    bgp.c by using a different integer data type. (CVE-2017-7701)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector could go into an infinite loop,
    triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-
    wbxml.c by adding length validation. (CVE-2017-7702)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the IMAP dissector could crash, triggered by packet
    injection or a malformed capture file. This was addressed in epan/dissectors/packet-imap.c by calculating
    a line's end correctly. (CVE-2017-7703)

  - In Wireshark 2.2.0 to 2.2.5, the DOF dissector could go into an infinite loop, triggered by packet
    injection or a malformed capture file. This was addressed in epan/dissectors/packet-dof.c by using a
    different integer data type and adjusting a return value. (CVE-2017-7704)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the RPC over RDMA dissector could go into an infinite
    loop, triggered by packet injection or a malformed capture file. This was addressed in
    epan/dissectors/packet-rpcrdma.c by correctly checking for going beyond the maximum offset.
    (CVE-2017-7705)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SIGCOMP dissector could go into an infinite loop,
    triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-
    sigcomp.c by correcting a memory-size check. (CVE-2017-7745)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector could go into an infinite loop,
    triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-
    slsk.c by adding checks for the remaining length. (CVE-2017-7746)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the PacketBB dissector could crash, triggered by packet
    injection or a malformed capture file. This was addressed in epan/dissectors/packet-packetbb.c by
    restricting additions to the protocol tree. (CVE-2017-7747)

  - In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WSP dissector could go into an infinite loop,
    triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-
    wsp.c by adding a length check. (CVE-2017-7748)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector misuses a NULL pointer. This was
    addressed in epan/dissectors/packet-msnip.c by validating an IPv4 address. (CVE-2017-9343)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth L2CAP dissector could divide by zero. This
    was addressed in epan/dissectors/packet-btl2cap.c by validating an interval value. (CVE-2017-9344)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS dissector could go into an infinite loop. This
    was addressed in epan/dissectors/packet-dns.c by trying to detect self-referencing pointers.
    (CVE-2017-9345)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek dissector could go into an infinite loop.
    This was addressed in epan/dissectors/packet-slsk.c by making loop bounds more explicit. (CVE-2017-9346)

  - In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL pointer dereference. This was
    addressed in epan/dissectors/asn1/ros/packet-ros-template.c by validating an OID. (CVE-2017-9347)

  - In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end of a buffer. This was addressed in
    epan/dissectors/packet-dof.c by validating a size value. (CVE-2017-9348)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector has an infinite loop. This was
    addressed in epan/dissectors/packet-dcm.c by validating a length value. (CVE-2017-9349)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY dissector could crash or exhaust system
    memory. This was addressed in epan/dissectors/packet-opensafety.c by checking for a negative length.
    (CVE-2017-9350)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector could read past the end of a buffer.
    This was addressed in epan/dissectors/packet-bootp.c by extracting the Vendor Class Identifier more
    carefully. (CVE-2017-9351)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector could go into an infinite loop. This
    was addressed in epan/dissectors/packet-bzr.c by ensuring that backwards parsing cannot occur.
    (CVE-2017-9352)

  - In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was addressed in epan/dissectors/packet-
    ipv6.c by validating an IPv6 address. (CVE-2017-9353)

  - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector could crash. This was addressed in
    epan/dissectors/packet-rgmp.c by validating an IPv4 address. (CVE-2017-9354)

  - In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion (uncontrolled recursion) in the
    dissect_mp4_box function in epan/dissectors/file-mp4.c. (CVE-2017-9616)

  - In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion (uncontrolled recursion) in the
    dissect_daap_one_tag function in epan/dissectors/packet-daap.c in the DAAP dissector. (CVE-2017-9617)

  - In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial
    of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-
    io.c. (CVE-2017-9766)

  - In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was
    addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented
    certain cleanup. (CVE-2018-11358)

  - In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine could crash. This was addressed in
    epan/tvbuff_composite.c by preventing a heap-based buffer over-read. (CVE-2018-19625)

  - In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser could crash. This was
    addressed in wiretap/vwr.c by correcting the signature timestamp bounds checks. (CVE-2018-5334)

  - In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could crash. This was addressed in
    epan/dissectors/packet-wcp.c by validating the available buffer length. (CVE-2018-5335)

  - In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP, and GDB dissectors could crash.
    This was addressed in epan/tvbparse.c by limiting the recursion depth. (CVE-2018-5336)

  - In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and related dissectors could crash. This
    was addressed in epan/dissectors/packet-ber.c by preventing a buffer overflow associated with excessive
    digits in time values. (CVE-2019-9209)

  - Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3.4.0 and 3.2.0 to 3.2.8
    allows denial of service via packet injection or crafted capture file. (CVE-2020-26421)

  - Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows
    denial of service via packet injection or crafted capture file (CVE-2021-22207)

  - Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial
    of service via packet injection or crafted capture file (CVE-2023-0411)

  - TIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via
    packet injection or crafted capture file (CVE-2023-0412)

  - Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via
    packet injection or crafted capture file (CVE-2023-0413)

  - Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial of service via packet injection or
    crafted capture file (CVE-2023-0414)

  - iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via
    packet injection or crafted capture file (CVE-2023-0415)

  - GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via
    packet injection or crafted capture file (CVE-2023-0416)

  - Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of
    service via packet injection or crafted capture file (CVE-2023-0417)

  - Due to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version
    4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution
    in the context of the process running Wireshark. (CVE-2023-0666)

  - Due to failure in validating the length provided by an attacker-crafted IEEE-C37.118 packet, Wireshark
    version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code
    execution in the context of the process running Wireshark. (CVE-2023-0668)

  - ISO 15765 and ISO 10681 dissector crash in Wireshark 4.0.0 to 4.0.3 and 3.6.0 to 3.6.11 allows denial of
    service via packet injection or crafted capture file (CVE-2023-1161)

  - RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via
    packet injection or crafted capture file (CVE-2023-1992)

  - LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via
    packet injection or crafted capture file (CVE-2023-1993)

  - GQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet
    injection or crafted capture file (CVE-2023-1994)

  - BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted
    capture file (CVE-2023-2854, CVE-2023-2857)

  - Candump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via
    crafted capture file (CVE-2023-2855)

  - VMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service
    via crafted capture file (CVE-2023-2856)

  - NetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via
    crafted capture file (CVE-2023-2858)

  - Due to a failure in validating the length provided by an attacker-crafted CP2179 packet, Wireshark
    versions 2.0.0 through 4.0.7 is susceptible to a divide by zero allowing for a denial of service attack.
    (CVE-2023-2906)

  - XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via
    packet injection or crafted capture file (CVE-2023-2952)

  - BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service
    via packet injection or crafted capture file (CVE-2023-4511)

  - CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted
    capture file (CVE-2023-4512)

  - BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via
    packet injection or crafted capture file (CVE-2023-4513)

  - RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via
    packet injection or crafted capture file (CVE-2023-5371)

  - SSH dissector crash in Wireshark 4.0.0 to 4.0.10 allows denial of service via packet injection or crafted
    capture file (CVE-2023-6174)

  - NetScreen file parser crash in Wireshark 4.0.0 to 4.0.10 and 3.6.0 to 3.6.18 allows denial of service via
    crafted capture file (CVE-2023-6175)

  - T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet
    injection or crafted capture file (CVE-2024-2955)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6836");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:wireshark");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'wireshark', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'wireshark'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'wireshark');
}