FreeBSD: VID-4AE135F7-85CD-4C32-AD94-358271B31F7F: zeek -- potential denial of service issues

Description

Jon Siwek of Corelight reports:

This release addresses the following security issues:

Potential Denial of Service due to memory leak in DNS

TSIG message parsing.

Potential Denial of Service due to memory leak (or assertion

when compiling with assertions enabled) when receiving a

second SSH KEX message after a first.

Potential Denial of Service due to buffer read overflow

and/or memory leaks in Kerberos analyzer. The buffer

read overflow could occur when the Kerberos message

indicates it contains an IPv6 address, but does not send

enough data to parse out a full IPv6 address. A memory

leak could occur when processing KRB_KDC_REQ KRB_KDC_REP

messages for message types that do not match a known/expected

type.

Potential Denial of Service when sending many zero-length

SSL/TLS certificate data. Such messages underwent the

full Zeek file analysis treatment which is expensive (and

meaninguless here) compared to how cheaply one can "create"

or otherwise indicate many zero-length contained in an

SSL message.

Potential Denial of Service due to buffer read overflow

in SMB transaction data string handling. The length of

strings being parsed from SMB messages was trusted to be

whatever the message claimed instead of the actual length

of data found in the message.

Potential Denial of Service due to null pointer dereference

in FTP ADAT Base64 decoding.

Potential Denial of Service due buffer read overflow in

FTP analyzer word/whitespace handling. This typically

won't be a problem in most default deployments of Zeek

since the FTP analyzer receives data from a ContentLine

(NVT) support analyzer which first null-terminates the

buffer used for further FTP parsing.