Security

Edit | View | Diffs | Info | Raw | Print

Recent Pages:

User

Login

Pages

FrontPage
RecentChanges
FindPage
HelpContents

Actions

Attach File
Check Spelling
Delete Cache
Like Pages
Local Site Map
Print View
Raw Text

Security

This page collects information about the secure usage of Ethereal.

  1. Security
  2. Introduction
  3. Why is Ethereal so buggy?
  4. Which user actions are critical?
  5. Administrator/root account not required!
  6. Protect Yourself!
  7. Help is on the way!

Introduction

In recent time, Ethereal was often mentioned in security bulletins about having several security related bugs fixed. This is caused by code reviews of individuals and interested parties and by the effort of the Ethereal team to automatically find bugs. It is expected that this will continue - at least in the near future.

While there is currently no known exploit out there to attack Ethereal, this may change one day ...

Because of this, special care should be taken to avoid security related problems while running Ethereal or at least to reduce the possible impact.

Wether this is a problem for yourself will depend on the situation: A small SoHo network will probably be less critical compared to a companies 24/7 mission critical web server, capturing data from an internal network is probably more secure than capturing internet traffic, ...

It's not the intention of this page to discuss the opinion of certain persons that the usage of Ethereal itself is "insecure", because you can see network data like transported passwords. BTW: Security through obscurity just don't work.

Why is Ethereal so buggy?

Well, it's not that buggy as it may seem. Recent automated code inspections showed a much lower defect rate compared to other known open source programs (the defect rate of closed source programs is not known but maybe even higher). Unfortunately most bugs found in the Ethereal code are security related so they are mentioned in the security bulletins.

In most programs, only small sections of code work directly with "outside" data (e.g. from a file or network). By focusing on these small sections during code reviews, developers can eliminate most security problems.

Ethereal is different. The vast majority of its code base deals directly with data from the "outside", so a code review on the relevant parts would cover most if not all of the complete Ethereal code. Running "wc -l epan/dissectors/*.[ch]" returns about 1,000,000 lines of code that's expected to handle fresh-off-the-wire data! Auditing all of this would be a huge effort, and may not guarantee success.

Ethereal is implemented in ANSI C, which is vulnerable to security problems like buffer overflows (compared to more securely designed languages like Java or C#). ANSI C is used for several reasons; the main reason is performance, as Ethereal is often used to work with huge amounts of data. Another reason is that implementations of other languages might not be as commonly available on all the platforms Ethereal supports.

To make things worse, the Ethereal development is done in an "experimental character" as new protocols are added all the time and existing ones are largely improved, the main reason that Ethereal has gained such a wide support of protocols. The developers providing code to Ethereal (literally hundreds) have very divergent programming experience, from advanced networking specialists to novice programmers, making it more likely that new bugs get in.

As a result, Ethereal is more vulnerable to attacks than most other programs.

Which user actions are critical?

Having a bug in the GUI code (e.g. a crash while printing) can be quite annoying. However, these bugs are usually not security related as they cannot be triggered from the outside.

The most critical action is analyzing packets when they are read in. The following actions will call into the myriad lines of dissector code with data coming from the "outside":

  • Open a capture file

  • If "Update list of packets in real time" is used while capturing

  • if "Update list of packets in real time" is not used after capture stops

Administrator/root account not required!

Many Ethereal users think that Ethereal requires a root/Administrator account to work with.

That's not a good idea, as using a root account makes any exploit far more dangerous: a successful exploit will have immediate control of the whole system, compromising it completely.

First of all, most Ethereal functions can always be used with a (probably very limited) user account. Especially the protocol dissectors which are showing most of the security related bugs doesn't need a root account!

Only capturing (and gathering capture interface information) may require a root account, but even that can usually be "circumvented", see CaptureSetup/CapturePrivileges for details how to do so.

Protect Yourself!

There are some things you can do:

  • Always update to the latest Ethereal version available as bugs are fixed often. You can join the announce mailing list to stay informed about new versions.

  • Don't run Ethereal as root/Administrator! See CaptureSetup/CapturePrivileges for details how to do so.

  • Analyze capture files in an uncritical environment. You may create a special (limited) user account or even use a dedicated machine for this task.

  • Use a small capture tool which is less likely affected by security bugs, e.g.: tcpdump (upcoming: dumpcap) and transfer the capture file to the uncritical environment mentioned above

  • The SampleCaptures wiki page collects capture files for automated tests. If you have a capture file with a protocol missing help the developers and attach the file to that page.

Help is on the way!

The Ethereal developers agree that the current situation isn't actually satisfying.

Current effort is spend in several ways to improve Ethereal in that regard:

  • Automated tests uncovers previously unknown bugs

  • code reviews take place

  • potential unsecure functions are removed from the code

  • privilege seperation is being implemented (running the capture code in it's own task)

  • ... and many other things

You'll find more information about that effort at the Development/Security page.

As it's a lot of effort involved in the above tasks, it's unpredictable when they'll be finished (if ever).