Wireshark can be crashed via malicious packet trace files

The Wireshark team has plugged three serious vulnerabilities that could allow an unauthenticated, remote attacker to crash vulnerable installations.

According to Cisco researchers, proof-of-concept (PoC) code that demonstrates an exploit of each of the vulnerabilities is publicly available.

Wireshark DoS vulnerabilities

About the Wireshark DoS vulnerabilities

Wireshark is the world’s most popular network protocol analyzer. The software is free and open source.

The vulnerabilities – CVE-2018-16056, CVE-2018-16057 and CVE-2018-16058 – affect three components of Wireshark: the Bluetooth Attribute Protocol (ATT) dissector, the Radiotap dissector, and the Audio/Video Distribution Transport Protocol (AVDTP) dissector, respectively.

All three vulnerabilities can be exploited by an attacker by injecting a malformed packet into a network, to be processed by the affected application, or by convincing a targeted user to open a malicious packet trace file.

“The attacker may use misleading language and instructions to convince a user to open a malicious packet trace file. To inject malformed packets that the Wireshark application may attempt to parse, the attacker may need access to the trusted, internal network where the targeted system resides,” Cisco researchers have noted, and added that this access requirement may reduce the likelihood of a successful exploit.

Wireshark users are urged to upgrade to one of the fixed versions: 2.6.3, 2.4.9, or 2.2.17 (available for download here).

Cisco also advises them to use firewalls and antivirus apps to minimize the potential of inbound and outbound threats, and to allow only trusted users to have network access and trusted systems to access the affected systems.