Source: cve@mitre.org
In Wireshark before 2.2.12, the MRDISC dissector misuses a NULL pointer and crashes. This was addressed in epan/dissectors/packet-mrdisc.c by validating an IPv4 address. This vulnerability is similar to CVE-2017-9343.
Wireshark, a widely used network protocol analyzer, is vulnerable to a denial-of-service (DoS) attack due to a NULL pointer dereference in its MRDISC dissector. This flaw allows a malicious actor to craft a specially formatted network packet that crashes Wireshark, potentially disrupting network analysis and security monitoring capabilities. Successful exploitation can lead to a temporary or prolonged outage of the affected system.
Step 1: Packet Crafting: An attacker crafts a malicious MRDISC packet. This packet contains a malformed IPv4 address, specifically designed to trigger the vulnerability.
Step 2: Packet Delivery: The attacker sends the crafted MRDISC packet to a network monitored by Wireshark. This can be achieved through various means, including direct network injection or by tricking a user to open a PCAP file containing the malicious packet.
Step 3: Packet Capture: Wireshark captures the malicious MRDISC packet.
Step 4: Dissection and Crash: The MRDISC dissector within Wireshark attempts to parse the malformed IPv4 address. Due to the lack of validation, the dissector attempts to dereference a NULL pointer, leading to a crash and denial of service.
The vulnerability lies within the packet-mrdisc.c file of Wireshark's source code, specifically in the MRDISC dissector. The root cause is a NULL pointer dereference. The dissector, responsible for parsing and displaying MRDISC (Multicast Router Discovery) protocol data, fails to properly validate an IPv4 address before attempting to use it. This lack of validation allows a crafted MRDISC packet with a malformed IPv4 address to cause the program to access memory at an invalid address (0x0). This leads to a crash, resulting in a denial-of-service (DoS) condition. The fix implemented in Wireshark 2.2.12 and later involves validating the IPv4 address before attempting to use it, preventing the NULL pointer dereference.
No specific APT groups or malware families are directly associated with this vulnerability. However, the ease of exploitation and potential for DoS make it a low-hanging fruit for opportunistic attackers. Not listed on CISA KEV.
Network Intrusion Detection Systems (NIDS) can be configured to detect malicious MRDISC packets based on specific characteristics, such as malformed IPv4 addresses or unusual packet structures.
Monitor Wireshark logs for unexpected crashes or errors related to the MRDISC dissector.
Analyze PCAP files for suspicious MRDISC traffic, particularly packets with unusual IPv4 address values.
Implement network segmentation to limit the scope of potential DoS attacks.
Upgrade Wireshark to version 2.2.12 or later to patch the vulnerability.
Regularly update Wireshark to the latest stable version to address any future vulnerabilities.
Implement network segmentation to limit the impact of a potential DoS attack.
Restrict network traffic to only necessary protocols and ports.
Monitor network traffic for suspicious activity, including unusual MRDISC packets.