Source: cve@gitlab.com
Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file
Wireshark, a widely used network protocol analyzer, is vulnerable to a denial-of-service (DoS) attack due to an infinite loop within its RTMPT dissector. Attackers can trigger this vulnerability by injecting malicious network packets or providing a crafted capture file, causing Wireshark to consume excessive resources and become unresponsive, potentially disrupting network analysis operations.
Step 1: Payload Delivery: The attacker crafts a malicious RTMPT packet or creates a capture file (.pcap or .pcapng) containing such a packet. Step 2: Packet Injection/File Opening: The attacker either injects the crafted packet onto a network monitored by Wireshark or provides the crafted capture file to a user who opens it in Wireshark. Step 3: Dissector Trigger: Wireshark's RTMPT dissector processes the malicious packet or file. Step 4: Infinite Loop: The flawed parsing logic within the RTMPT dissector encounters the crafted data and enters an infinite loop, consuming CPU resources. Step 5: Denial of Service: Wireshark becomes unresponsive, effectively denying service to the user or network analyst.
The vulnerability lies within the RTMPT (Real Time Messaging Protocol Tunneling) dissector in Wireshark. The infinite loop is triggered by a flaw in how the dissector handles malformed or crafted RTMPT packets. Specifically, the parsing logic within the dissector, likely related to handling packet length or data structures, enters an infinite loop when presented with a specific sequence or combination of malformed RTMPT data. This leads to the CPU consuming 100% of resources and Wireshark becoming unresponsive. The root cause is a lack of proper input validation or error handling within the dissector's parsing routines, allowing the crafted input to bypass expected checks and enter the loop. This is not a buffer overflow or memory corruption vulnerability, but rather a logic flaw that leads to a resource exhaustion condition.
While no specific APTs are directly linked to this CVE, any actor with the capability to craft network packets or access capture files could potentially exploit this vulnerability. This could include state-sponsored actors, cybercriminals, or even malicious insiders. This CVE is not listed in the CISA KEV catalog.
High CPU utilization by the Wireshark process.
Unresponsive Wireshark interface.
Network traffic analysis showing a sudden increase in RTMPT traffic (though this is less reliable as the attack can be triggered by a single crafted packet).
Examination of capture files for unusual RTMPT packet structures or sizes.
Alerts from intrusion detection systems (IDS) or intrusion prevention systems (IPS) configured to detect malicious RTMPT traffic (if signatures are available).
Upgrade Wireshark to a patched version (3.6.1 or later, or 3.4.11 or later).
Restrict access to Wireshark instances, especially those used for network monitoring of untrusted networks.
Implement network segmentation to limit the impact of a successful exploit.
Regularly update Wireshark and other software to patch known vulnerabilities.
Monitor Wireshark's resource usage (CPU, memory) to detect unusual activity.
Consider using a network intrusion detection system (NIDS) with signatures for malicious RTMPT traffic.