CVE-2023-6174: SSH Dissector Crash Plagues Wireshark 4..-4..10, Allowing Denial of Service Attacks Through Packet Injection or Crafted Capture Files

Wireshark, one of the world's most popular network protocol analyzers, has been a crucial tool for network professionals and enthusiasts alike. Though keen on providing comprehensive analysis, Wireshark is not without its faults. Among these, the recent CVE-2023-6174 has caught the attention of many concerned users and security experts. This vulnerability in the SSH dissector, affecting Wireshark versions 4.. through 4..10, can result in a denial of service (DoS) when an attacker injects malicious packets onto the network or utilizes a specially crafted capture file.

In this in-depth post, we take a closer look at the CVE-2023-6174 vulnerability, examining the related code snippets, providing links to original references, and shedding light on the exploit details.

Affected Code Snippet

The issue originates from the SSH dissector, which can be found in the source file "epan/dissectors/packet-ssh.c" of the Wireshark source code. The following code snippet is responsible for the vulnerability:

static int
dissect_ssh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
{
    ...
    offset = dissect_ssh_banner(tvb, pinfo, offset, ssh_tree);
    ...
}

The vulnerability arises when the SSH dissector attempts to process specific banner information within the SSH packets. As a result, Wireshark may crash when handling these specially crafted packets, resulting in a denial of service.

For an attacker to exploit the CVE-2023-6174 vulnerability, they must either

1. Inject malicious SSH packets onto a network that's actively being monitored by a vulnerable version of Wireshark. These packets should carry the crafted banner information to trigger the denial of service, thus crashing Wireshark.

2. Create a purposely crafted pcap (packet capture) file containing these malicious SSH packets and malicious banner information. When opened by a user running a vulnerable version of Wireshark, the application will crash, resulting in a DoS.

Here are some links to the original references associated with the CVE-2023-6174 vulnerability

- CVE Information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6174
- Wireshark Source Code: https://github.com/wireshark/wireshark
- Wireshark "epan/dissectors/packet-ssh.c": https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-ssh.c

Mitigation and Solutions

Wireshark has since released updates addressing the CVE-2023-6174 vulnerability, which can be found in the version 4..11 and later. Users are strongly advised to update their Wireshark installations to the latest release, thus mitigating the risk of falling victim to a denial of service exploit.

In addition, users should exercise caution when opening pcap files from unknown or untrusted sources, as they may contain crafted SSH packets designed to exploit this vulnerability.

Conclusion

The CVE-2023-6174 vulnerability in Wireshark's SSH dissector serves as a stark reminder of the importance of keeping software up-to-date and understanding potential security issues. By staying informed and vigilant, users can protect themselves from potential exploits, safeguarding the integrity of their network analysis endeavors.

Timeline

Published on: 11/16/2023 12:15:07 UTC
Last modified on: 11/28/2023 17:27:06 UTC