CVE-2021-4190

Step 1: Payload Delivery: An attacker crafts a malicious Kafka packet or creates a capture file (.pcap or .pcapng) containing a malicious Kafka packet.

Step 2: Packet Injection/File Loading: The attacker either injects the malicious packet directly onto a network monitored by Wireshark or provides a crafted capture file to a user.

Step 3: Dissector Trigger: The victim opens the capture file in Wireshark or Wireshark captures the malicious packet.

Step 4: Loop Execution: The Kafka dissector is invoked to parse the Kafka packet. The crafted packet triggers the vulnerable loop.

Step 5: Resource Exhaustion: The loop consumes excessive CPU resources as it iterates repeatedly.

Step 6: Denial of Service: Wireshark becomes unresponsive, crashes, or is otherwise unable to function, resulting in a denial-of-service condition.

The vulnerability lies within the Kafka dissector in Wireshark version 3.6.0. The dissector, responsible for parsing and interpreting Kafka protocol traffic, contains a large loop that is triggered by specific crafted packets or capture files. The root cause is a lack of input validation or improper bounds checking within the loop's processing logic. When the dissector encounters a malicious packet, the loop iterates excessively, consuming significant CPU resources and eventually leading to a denial-of-service condition. This is not a memory corruption vulnerability, but rather a resource exhaustion attack. The specific function or logic flaw is within the parsing of Kafka message headers or payloads, where the dissector fails to properly handle malformed or excessively large data structures, causing the loop to run indefinitely.