Source: cve@gitlab.com
Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file
Wireshark 3.6.0 is vulnerable to a denial-of-service (DoS) attack due to a flaw in its pcapng file parser. A crafted capture file can trigger a crash, rendering the application unusable and potentially disrupting network analysis operations. This vulnerability could be exploited to disrupt network monitoring and analysis capabilities.
Step 1: Payload Delivery: An attacker crafts a malicious pcapng capture file. This file contains specific, malformed data designed to exploit the vulnerability in the Wireshark parser.
Step 2: File Ingestion: The victim, using Wireshark 3.6.0, opens or attempts to analyze the crafted pcapng file.
Step 3: Parsing Trigger: Wireshark's pcapng parser begins processing the file, encountering the malicious data.
Step 4: Vulnerability Exploitation: The crafted data triggers the vulnerability within the parser, leading to an error condition (e.g., buffer overflow, out-of-bounds read, or an infinite loop).
Step 5: Denial of Service: The error condition causes Wireshark to crash, resulting in a denial of service. The application becomes unresponsive and unusable until restarted.
The vulnerability lies within the pcapng file parser in Wireshark 3.6.0. The parser, when handling specific malformed or crafted pcapng files, encounters an error condition. The root cause is likely related to improper handling of data structures or memory allocation during the parsing process. Specifically, the flaw resides in how Wireshark processes certain pcapng block types, potentially leading to an out-of-bounds read or write, or an infinite loop, ultimately resulting in a crash. The exact function or logic flaw is not explicitly stated in the CVE description, but it's related to the parsing of a crafted capture file. The crash is a result of the parser's inability to gracefully handle the malformed input, leading to an unhandled exception or memory corruption.
While no specific APTs are directly linked in the CVE, any actor seeking to disrupt network analysis or monitoring capabilities could exploit this vulnerability. The ease of exploitation makes it attractive to various threat actors. CISA KEV status: Not listed.
Monitor Wireshark application logs for unexpected crashes or errors during file parsing.
Analyze network traffic for the presence of suspicious pcapng files, especially those originating from untrusted sources.
Implement file integrity monitoring to detect any unauthorized modifications to Wireshark installation files.
Monitor system resource usage (CPU, memory) for spikes when Wireshark is parsing files, which could indicate a DoS attempt.
Network Intrusion Detection Systems (NIDS) can be configured to detect malicious pcapng files based on specific patterns or characteristics.
Upgrade to a patched version of Wireshark (e.g., 3.6.1 or later) that addresses the vulnerability.
Restrict access to Wireshark to only trusted users and systems.
Implement input validation to filter out potentially malicious pcapng files before they are processed by Wireshark.
Regularly update Wireshark and other software to patch known vulnerabilities.
Consider using a network-based intrusion detection system (NIDS) to identify and block malicious pcapng files before they reach Wireshark.
Implement file reputation services to identify and block malicious files.