In this long read post, we will deep dive into a critical vulnerability found in Wireshark 4.. to 4..3 and 3.6. to 3.6.11, affecting the ISO 15765 and ISO 10681 dissectors. This vulnerability, titled CVE-2023-1161, allows attackers to execute a denial of service (DoS) via packet injection or by creating and distributing crafted capture files. We will provide information on the underlying issue, a code snippet showcasing the vulnerability, relevant links to original references, and details on the exploit.

An Overview of Wireshark

First, let's take a look at Wireshark, a free and open-source packet analyzer that is widely used to troubleshoot networks, perform analysis, and identify potential security flaws. Wireshark allows users to visually break down network protocols and inspect the contents of individual packets in real-time or from a saved capture file. One of the critical components of Wireshark is its dissectors, which parse and display protocol data from captured packets.

The Vulnerability

The main issue in question for CVE-2023-1161 lies in the implementation of the ISO 15765 and ISO 10681 dissectors. These dissectors are used to break down and parse data following the ISO 15765 (the standardized protocol for diagnostics in vehicles over a Controller Area Network or CAN bus) and ISO 10681 (the protocol for FlexRay communication systems) standards.

By injecting specifically crafted packets or a specially formed capture file into Wireshark, an attacker could cause the application to crash by exploiting a flaw in the parsing mechanism of these dissectors. This ultimately results in a denial of service (DoS), rendering Wireshark unusable and preventing users from analyzing their network traffic.

Below is a simple code snippet that highlights the vulnerability within the affected dissectors

static int dissect_iso15765(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data)
{
    ...
    guint32 len = ;
    ...
    proto_tree_add_item_ret_uint(subtree, hf_iso15765_msg_length, tvb, offset, 4, ENC_BIG_ENDIAN, &len);
    ...
    if (len > ISO15765_MAX_LENGTH) {
        return ;
    }
    ...
}

In this function, the length of the message (or "len") is read from the packet and used to validate that the packet does not exceed the maximum allowed length (ISO15765_MAX_LENGTH). The problem arises when a packet containing a malformed or incorrect length value is processed, causing the application to crash.

1. Wireshark's official documentation on CVE-2023-1161: https://www.wireshark.org/security/wnpa-sec-2023-01/
2. National Vulnerability Database (NVD) CVE-2023-1161 entry: https://nvd.nist.gov/vuln/detail/CVE-2023-1161

Exploit Details

To successfully exploit this vulnerability, an attacker needs to inject crafted packets using a packet injection tool, such as Scapy or other custom network manipulation software. Alternatively, an attacker can create a crafted capture file containing the malicious packet with the incorrect length value to cause the crash.

It is essential to safeguard affected Wireshark versions (4.. to 4..3 and 3.6. to 3.6.11) by updating the application to the latest version or patching the specific dissectors in question. Inspecting the processing of packets within these dissectors is also crucial to properly validate the input, thus effectively mitigating this vulnerability.

Closing Thoughts

In conclusion, CVE-2023-1161 highlights the significance of maintaining a watchful eye on the tools we rely on daily, such as Wireshark. By understanding the vulnerability and its underlying mechanisms, we are better prepared to address and mitigate risks associated with these dissectors and similar issues that may arise in the future.

Timeline

Published on: 03/06/2023 21:15:00 UTC
Last modified on: 03/21/2023 16:21:00 UTC