Source: cve@gitlab.com
Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file
Wireshark, a widely used network protocol analyzer, is vulnerable to a denial-of-service (DoS) attack. A flaw in the Gryphon dissector allows attackers to crash the application by injecting malicious packets or providing a crafted capture file, rendering the tool unusable and potentially disrupting network analysis workflows. This vulnerability impacts versions 3.4.0 through 3.4.10 of Wireshark.
Step 1: Payload Delivery: The attacker crafts a malicious packet or a capture file (.pcap or .pcapng) containing a specially crafted Gryphon protocol payload. This payload is designed to trigger the vulnerability within the Gryphon dissector.
Step 2: Packet Ingestion: The victim, using a vulnerable version of Wireshark (3.4.0 to 3.4.10), opens the malicious capture file or captures the malicious packet stream.
Step 3: Dissection Trigger: Wireshark's Gryphon dissector attempts to parse the malicious Gryphon data.
Step 4: Vulnerability Exploitation: The crafted payload causes the Gryphon dissector to execute an invalid memory operation, such as writing to an invalid memory address or reading beyond the allocated buffer.
Step 5: Application Crash: The invalid memory operation leads to a crash of the Wireshark application, resulting in a denial-of-service condition.
The vulnerability lies within the Gryphon dissector, a component responsible for parsing and interpreting Gryphon protocol traffic. The root cause is a flaw in how the dissector handles specific data structures or packet formats. This likely involves a memory corruption issue, such as a buffer overflow or an out-of-bounds read, triggered by malformed or crafted Gryphon packets. When the dissector encounters the problematic data, it attempts to access or write to memory locations it shouldn't, leading to a crash. The specific function or logic flaw is likely related to incorrect bounds checking or improper handling of data lengths within the Gryphon protocol parsing code.
Due to the DoS nature, this vulnerability is less likely to be exploited by sophisticated APTs. However, it could be leveraged by less skilled attackers or used in conjunction with other vulnerabilities. There is no indication of CISA KEV status.
Monitor network traffic for unusual Gryphon protocol activity, especially packets with malformed or unusual headers and payloads.
Analyze Wireshark crash logs for error messages related to the Gryphon dissector.
Examine captured network traffic for suspicious .pcap or .pcapng files.
Implement file integrity monitoring on Wireshark installation directories.
Monitor system resource usage (CPU, memory) during Wireshark operation for unexpected spikes, which could indicate a crash attempt.
Upgrade Wireshark to version 3.4.11 or later, which includes a fix for this vulnerability.
Restrict access to Wireshark to only authorized users.
Implement network segmentation to limit the scope of potential attacks.
Regularly update Wireshark and other software to patch known vulnerabilities.
Scan network traffic for malicious .pcap files before opening them in Wireshark.
Consider using a network intrusion detection system (NIDS) to identify and block malicious Gryphon traffic.