Source: cve@gitlab.com
Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file
Wireshark, a widely used network protocol analyzer, is vulnerable to a denial-of-service (DoS) attack. A flaw in the Kafka dissector allows attackers to crash Wireshark by injecting malicious packets or loading a crafted capture file, rendering the tool unusable and potentially disrupting network analysis operations. This vulnerability can be triggered remotely, making it a significant threat to network security monitoring.
Step 1: Payload Delivery: An attacker crafts a malicious Kafka message or creates a capture file (.pcap or .pcapng) containing a malicious Kafka message. This message is specifically designed to trigger the vulnerable loop within the Kafka dissector. Step 2: Triggering the Vulnerability: The attacker either injects the malicious Kafka message directly onto a network being monitored by Wireshark (e.g., by sending the crafted message to a Kafka broker that Wireshark is configured to monitor) or provides the crafted capture file to a user who opens it in Wireshark. Step 3: Dissector Execution: When Wireshark processes the malicious Kafka message (either live or from a file), the Kafka dissector is invoked. Step 4: Loop Execution: The crafted message causes the vulnerable loop within the Kafka dissector to execute repeatedly, consuming excessive CPU resources. Step 5: Denial of Service: The excessive CPU usage leads to Wireshark becoming unresponsive and eventually crashing, resulting in a denial-of-service condition.
Root Cause: The vulnerability lies within the Kafka dissector in Wireshark version 3.6.0. Specifically, a large loop is triggered when processing Kafka protocol data. The dissector, responsible for parsing and displaying network traffic, enters an infinite or extremely long loop when encountering a malformed or crafted Kafka message. This leads to excessive CPU consumption and ultimately crashes the Wireshark application. The flaw is not a buffer overflow or memory corruption issue, but rather a logic error in the parsing of Kafka messages, causing an uncontrolled iteration. The lack of proper input validation allows for the triggering of this loop.
There is no specific APT or malware known to be actively exploiting this vulnerability. However, any actor seeking to disrupt network monitoring or analysis capabilities could potentially leverage this vulnerability. This vulnerability is not listed on the CISA KEV at this time, but could be added if actively exploited.
Monitor CPU usage of Wireshark processes. A sudden and sustained spike in CPU usage when processing Kafka traffic or opening capture files containing Kafka data is a strong indicator.
Analyze network traffic for unusual Kafka messages, particularly those with malformed headers or unexpected data structures. Use Wireshark itself to examine the Kafka traffic, looking for unusual patterns.
Examine Wireshark crash logs for error messages related to the Kafka dissector or infinite loops.
Implement network intrusion detection systems (IDS) rules to identify and block malicious Kafka messages based on known attack patterns (once identified).
Upgrade to a patched version of Wireshark (3.6.1 or later) that addresses the vulnerability. This is the primary and most effective remediation step.
If upgrading is not immediately possible, restrict the use of Wireshark to trusted users and environments.
Implement input validation on Kafka messages if possible, especially if custom Kafka applications are used. This can help prevent the injection of malicious messages.
Monitor network traffic for suspicious Kafka messages and block them at the network edge.