Source: cve@gitlab.com
Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file
Wireshark, a widely used network protocol analyzer, is vulnerable to a denial-of-service (DoS) attack due to an infinite loop within its BitTorrent DHT dissector. An attacker can trigger this vulnerability by injecting malicious packets or providing a crafted capture file, leading to a complete service outage for users of the affected Wireshark versions.
Step 1: Packet Injection/Capture File Delivery: The attacker either injects malicious DHT packets directly onto a network monitored by Wireshark or provides a crafted capture file containing malicious DHT packets to a user who will open it in Wireshark.
Step 2: Wireshark Processing: The victim user opens the capture file or Wireshark captures the malicious packets.
Step 3: DHT Dissector Activation: Wireshark's DHT dissector is activated to analyze the BitTorrent DHT traffic.
Step 4: Infinite Loop Trigger: The malicious DHT packet triggers the vulnerability within the DHT dissector, causing an infinite loop.
Step 5: Resource Exhaustion: The infinite loop consumes CPU resources, leading to high CPU utilization.
Step 6: Denial of Service: Wireshark becomes unresponsive or crashes, effectively denying service to the user.
The vulnerability lies within the BitTorrent Distributed Hash Table (DHT) dissector in Wireshark. Specifically, the dissector contains a logic flaw that allows for an infinite loop to occur during the parsing of DHT packets. This is triggered by a crafted DHT packet that causes the dissector to repeatedly process a specific data structure without ever exiting the processing loop. This leads to excessive CPU consumption, effectively causing a denial-of-service (DoS) condition. The root cause is likely an improper handling of edge cases or malformed data within the DHT packet parsing logic, leading to an uncontrolled iteration within a loop. The specific function or logic responsible for this infinite loop is within the DHT dissector's processing of DHT messages, likely related to how it handles node ID lookups or routing table updates. The lack of proper bounds checking or input validation on the received DHT packets allows the crafted input to trigger the infinite loop.
While no specific APT groups are directly linked to exploiting this vulnerability, the ease of exploitation and potential for DoS make it attractive for various attackers. This vulnerability is not listed on the CISA KEV list.
High CPU utilization by Wireshark processes.
Unusually long processing times when opening or capturing network traffic.
Network traffic analysis revealing malformed or suspicious DHT packets.
Examination of Wireshark crash logs for errors related to the DHT dissector.
Monitoring for excessive network traffic associated with DHT protocol.
Upgrade Wireshark to a patched version (3.6.1 or later, or 3.4.11 or later).
Restrict access to Wireshark to trusted users and networks.
Implement network intrusion detection systems (IDS) to identify and block malicious DHT packets.
Regularly update Wireshark and other software to patch known vulnerabilities.
Educate users about the risks of opening untrusted capture files.