Source: cve@gitlab.com
Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file
Wireshark, a widely used network protocol analyzer, is vulnerable to a denial-of-service (DoS) attack. By crafting a malicious packet or capture file, an attacker can trigger a crash in the RFC 7468 dissector, rendering the application unusable and potentially disrupting network analysis operations. This vulnerability poses a risk to any system using Wireshark to analyze network traffic, including security teams and network administrators.
Step 1: Payload Delivery: An attacker crafts a malicious packet or capture file containing a specially crafted RFC 7468 encoded certificate.
Step 2: Packet Capture/Injection: The crafted packet is either injected into the network or loaded as a capture file into Wireshark.
Step 3: Dissection Trigger: Wireshark's RFC 7468 dissector processes the malicious packet.
Step 4: Vulnerability Exploitation: The dissector encounters the crafted input and attempts to parse it, leading to a memory access violation or other error.
Step 5: Denial of Service: The error condition causes Wireshark to crash, resulting in a denial of service.
The vulnerability lies within the RFC 7468 dissector in Wireshark, specifically in how it handles malformed or crafted packets. The dissector likely fails to properly validate input data, leading to a memory access violation or other error condition. This can occur during the parsing of ASN.1 encoded data within the RFC 7468 format. The root cause is likely an unchecked access to a data structure, leading to a buffer overflow or an attempt to dereference an invalid pointer. The crafted input causes the dissector to enter an unexpected state, triggering the crash. The specific function or logic flaw is likely related to the parsing of the certificate data, where the dissector attempts to read beyond the allocated buffer or misinterprets the data length.
While no specific APTs are directly linked to this CVE, any threat actor seeking to disrupt network monitoring or analysis could leverage this vulnerability. This could include state-sponsored actors, cybercriminals, and hacktivists. Not listed in CISA KEV.
Monitor network traffic for unusual RFC 7468 encoded certificate data, especially with unexpected lengths or malformed structures.
Analyze Wireshark crash logs for error messages related to the RFC 7468 dissector.
Implement network intrusion detection systems (IDS) rules to identify and block malicious packets containing the crafted RFC 7468 data.
Monitor for unexpected Wireshark process terminations or restarts.
Upgrade Wireshark to a patched version (3.6.1 or later, or 3.4.11 or later).
Restrict access to Wireshark instances, especially those used for network capture and analysis.
Implement network segmentation to isolate Wireshark instances from critical network segments.
Regularly update Wireshark and other software to patch known vulnerabilities.
Consider using a network intrusion prevention system (IPS) to filter malicious packets before they reach Wireshark.