CVE-2023-0414 - Wireshark 4.. to 4..2 EAP Dissector Crash Leads to Denial of Service Via Packet Injection or Crafted Capture File

Wireshark, a popular network protocol analyzer, has been found to contain a critical vulnerability, identified as CVE-2023-0414. This vulnerability is present in the EAP (Extensible Authentication Protocol) dissector of Wireshark versions 4.. to 4..2. The crash in the EAP dissector allows an attacker to cause a denial of service (DoS) through packet injection or a crafted capture file. In this post, we will discuss the technical details of this vulnerability, explore a code snippet demonstrating the issue, and provide the necessary references and exploit details.

Technical Details

The EAP dissector in Wireshark is responsible for decoding and analyzing the EAP packets, an integral part of the 802.1X authentication process. The identified vulnerability is a type of buffer overflow issue where the EAP dissector mishandles an incorrect packet length. The vulnerability can be exploited by injecting a specially crafted packet or creating a malicious capture file. When Wireshark attempts to dissect such packets, an uncontrolled buffer overflow leads to a program crash and denial of service.

Code Snippet

The code snippet below demonstrates how the vulnerability can be triggered in the EAP dissector. The root cause of the issue lies in the incorrect handling of the packet length, causing a buffer overflow.

/* EAP dissector in epan/dissectors/packet-eap.c */
int dissect_eap(...){
    guint offset = ;
    guint8 eap_code;
    guint8 eap_identifier;
    guint length;

    /* Read header */
    eap_code = tvb_get_guint8(tvb, offset);
    eap_identifier = tvb_get_guint8(tvb, offset + 1);
    length = tvb_get_ntohs(tvb, offset + 2);

    /* Check if length is valid */
    if (length < EAP_HDR_LEN){
        /* Vulnerability: Incorrect length handling */
    }

    /* Continue dissecting */
}

Exploit Details

An attacker can exploit this vulnerability through two methods: packet injection or creating a crafted capture file.

1. Packet Injection: An attacker can inject a specially crafted EAP packet with an incorrect length value on a network being monitored by the Wireshark application. When the EAP dissector processes the malformed packet, it will lead to a buffer overflow and application crash, causing a denial of service.

2. Crafted Capture File: An attacker can create a malicious capture file containing a malformed EAP packet with an incorrect length value. When the victim opens the crafted file using Wireshark, the EAP dissector processes the malformed packet, leading to a buffer overflow, application crash, and denial of service.

Original References

1. Official Wireshark 4..3 Release Notes (Fixes CVE-2023-0414): https://www.wireshark.org/docs/relnotes/wireshark-4..3.html
2. Mention of CVE-2023-0414 in the Wireshark Bug database: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16185

Recommendations

To mitigate the described vulnerability, it is essential to update Wireshark to version 4..3 or later. Furthermore, users should be cautious when opening capture files from untrusted sources and when monitoring networks where an attacker might inject malicious packets. Regularly updating the application and being mindful of the source of the capture files should help reduce the risks of this and other vulnerabilities.

Timeline

Published on: 01/26/2023 21:18:00 UTC
Last modified on: 02/01/2023 16:22:00 UTC