Wireshark IPsec ESP preference parser off-by-one vulnerable Windows version detected (WiresharkEspOffbyoneWin)

Vuln ID: 38695
Risk Level: Medium risk vulnerability  Medium WiresharkEspOffbyoneWin
Platforms: Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server, Wireshark Wireshark: 0.99.2

Wireshark (formerly known as Ethereal) is vulnerable to a denial of service attack, caused by multiple off-by-one errors in the IPsec ESP preference parser in version 0.99.2, if Wireshark was compiled with ESP decryption support. A vulnerable version of Wireshark for Windows has been detected.


Upgrade to the latest version of Wireshark (0.99.3 or later), as listed in Wireshark Security Advisory wnpa-sec-2006-02. See References.

False Positives: A workaround for this vulnerability has been provided by the Wireshark development team. If this workaround has been applied, the installation will still flag vulnerable, even though the vulnerability has been remediated.
False Negatives: This check will only detect the most recently installed version of Wireshark. Previously installed versions of Wireshark that were not uninstalled prior to the most recent installation will not be tested but may be vulnerable.
Required Permission: Windows login
Additional Information:


Multiple problems in Wireshark (Ethereal®) versions 0.7.9 to 0.99.2

IBM Internet Security Systems X-Force Database
Wireshark (Ethereal) IPsec ESP preference parser off-by-one

ISS X-Force
Wireshark IPsec ESP preference parser off-by-one vulnerable Windows version detected

CVE CVE-2006-4331

X-Force Logo
Know Your Risks
Mitre.org CVE Logo
Common Vulnerabilties & Exposures