due to lack of validation of certain fields. An attacker can supply a specially crafted capture file to trigger an unaligned access, resulting in a crash or unexpected behaviour. Wireshark does not process malformed capture files, and thus can crash. This might allow an attacker to remotely trigger this flaw.


The following is a crash example: https://paste.wireshark.org/ display/76915/poc-Aligned+access+in+the+CSN.1+protocol+dissector+in+Wireshark+3.6.0+to+ 3.6.1+allows+denial+of+service+via+packet+injection+or+crafted+capture+file. The CSN.1 protocol dissector is part of the Internet Protocol (IP) protocol family. This dissection details the data types used by the dissector. An example of a malformed capture file is as follows: ************************ * CSN.1 protocol dissector analysis in Wireshark ************************ In the above example, a malformed packet was injected into the network trace. As a result, an unaligned access occurred in the dissector, which resulted in a crash. This could allow an attacker to remotely trigger this issue and cause a system to crash or unexpectedly restart. ************************ * An example of a malformed capture file in Wireshark ************************

CVE-2023-0583

Due to use-after-free vulnerability, an attacker can cause a denial of service or arbitrary code execution. In the following example, Wireshark crashed: https://paste.wireshark.org/ display/76916/poc-Alignment+in+the+CSN.1+protocol+dissector+in+Wireshark+3.6.0+. Wireshark does not process malformed capture files, and thus crashes when it attempts to read from a malformed file as shown in the following example:

This issue could allow an attacker to cause unexpected behavior on the target system by triggering this vulnerability.

CVE-2022-0583

Due to a lack of validation of certain fields, an attacker can supply a specially crafted capture file to trigger an unaligned access, resulting in a crash or unexpected behaviour. Wireshark does not process malformed capture files, and thus can crash. This might allow an attacker to remotely trigger this flaw.
The following is a crash example: https://paste.wireshark.org/ display/76916/poc-Aligned+access+in+the+CSN.1+protocol+dissector+in+Wireshark+3.6.0+to +3.6.1+allows+Denial+of+service+. The CSN.1 protocol dissector is part of the Internet Protocol (IP) protocol family and details the data types used by the dissector.

4.2

.11 Unaligned Access in the CSN.1 Protocol Dissector in Wireshark 3.6.0 to 3.6.1 Allows Denial of Service via Packet Injection or Crafted Capture File
The following is a crash example: https://paste.wireshark.org/ display/76916/poc-Unaligned+access+in+the+CSN.1+protocol+dissector+in+Wireshark+3.6.0+(to+)3.6.1+(allows)+denial+of+service+. The CSN.1 protocol dissector is part of the Internet Protocol (IP) protocol family. This dissection details the data types used by the dissector, which includes the data type called "BC" that refers to the broadcast control channel (BCCH) for cellular networks specified in ISO 8802-2:1999, amendment 2 and ITU-T Recommendation G8805-B:1996, section 4(11). An example of a malformed packet is as follows: ************************ * CSN.1 protocol dissector analysis in Wireshark ************************ In the above example, a malformed packet was injected into the network trace and an unaligned access can be seen when going through a capture file with BC set to 0xFFFE or whenever there is an invalid length field specified for that data type (e.g., BC=0

Timeline

Published on: 02/14/2022 22:15:00 UTC
Last modified on: 04/01/2022 17:29:00 UTC

References