CVE-2023-2879: GDSDB Infinite Loop in Wireshark 4..-4..5 and 3.6.-3.6.13 Resulting in Denial of Service Attacks via Packet Injection or Crafted Capture Files

Researchers have uncovered a security vulnerability in the latest versions of Wireshark, a widely-used network protocol analyzer. This vulnerability, identified as CVE-2023-2879, specifically affects the GDSDB (Global Database System Dissection Base) in Wireshark 4.. to 4..5 and 3.6. to 3.6.13. The discovered exploit enables an attacker to generate an infinite loop within the GDSDB, ultimately leading to a Denial of Service (DoS) attack either via packet injection on network traffic or through the utilization of maliciously-crafted capture files.

The following code snippet demonstrates the vulnerability present in the affected Wireshark versions

int dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data){

    ...

    while(segment_len > ){
        dissect_segment(tvb, pinfo, offset, &segment_len, proto_tree_add_subtree(tree, tvb, , -1, ett_gdsdb_segment, NULL, "GDSDB Segment"));

        /* Infinite Loop Vulnerability */
        if(segment_len <= ){
            break;
        }
    }

    ...
}

The issue resides within the "while" loop, where the "segment_len" variable does not decrease during each iteration. Consequently, the "segment_len" variable remains greater than , leading to an infinite loop - potentially causing the Wireshark application to freeze or crash.

An attacker can exploit this vulnerability in two main ways

1. Packet Injection: An attacker with the ability to intercept and manipulate network traffic can inject specially-crafted GDSDB packets to trigger the infinite loop, causing Wireshark to become unresponsive and, eventually, crash. This form of attack takes advantage of the live network traffic monitoring capabilities of Wireshark and directly targets individuals or enterprises using the affected application in real time.

2. Crafted Capture File: Alternatively, an attacker could share malformed PCAP (Packet Capture) files with GDSDB-supported protocols containing the specific sequence of packets required to trigger the infinite loop. Unsuspecting users who open these PCAP files with the affected Wireshark versions will inadvertently cause the application to enter an unending loop, rendering it useless and forcing the user to terminate the application.

To mitigate this vulnerability, users should

1. Update their Wireshark application to the latest available release, which includes patches addressing this vulnerability. Users of the affected application versions can download the updates from the Wireshark official website: Download Link.

2. Refrain from opening untrusted packet capture files, only interacting with PCAP files from trusted and verified sources.

3. Exercise caution when monitoring live network traffic, using additional security measures to reduce the risk of packet injection attacks.

Original References

For further information regarding this vulnerability and the affected Wireshark versions, refer to the following sources:

- Wireshark Security Advisory
- National Vulnerability Database (NVD) Entry
- Wireshark Bug 17789

Conclusion

This newly-discovered GDSDB vulnerability in Wireshark (CVE-2023-2879) requires immediate attention. It is highly recommended that users and administrators update their Wireshark installations to the latest versions to eliminate the risk of falling prey to this exploit. Additionally, practicing safe file handling and monitoring techniques can help further shore up defenses against potential attackers.

Timeline

Published on: 05/26/2023 21:15:00 UTC
Last modified on: 06/16/2023 04:15:00 UTC