• Animesh Gupta

Wireshark can be crashed via Malicious Packet Trace Files



Wireshark is the world’s most popular network protocol analyzer. The software is free and open source.


The vulnerabilities – CVE-2018-16056, CVE-2018-16057 and CVE-2018-16058 – affect three components of Wireshark: the Bluetooth Attribute Protocol (ATT) dissector, the Radiotap dissector, and the Audio/Video Distribution Transport Protocol (AVDTP) dissector, respectively.


Bluetooth ATT dissector component – CVE-2018-16056


The vulnerability resides with Bluetooth Attribute Protocol (ATT) dissector component allows an attacker could exploit the vulnerability by injecting a malicious packet into a network that to be processed by the vulnerable application or by convincing a user to open the malicious packet trace file.

Successful exploitation of the vulnerability could crash the Bluetooth ATT dissector component resulting in a DoS condition.

The vulnerability affects 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, it has been fixed with 2.6.3, 2.4.9, and 2.2.17 and they are available to download from here.


Radiotap dissector component – CVE-2018-16057


The vulnerability is because of insufficient bound checks with eee80211_radiotap_iterator_next() the function allows an attacker could exploit the vulnerability by injecting a malicious packet into the network that to be processed by the vulnerable application or by convincing a user to open the malicious packet trace file.

Successful exploitation of the vulnerability could crash the Radiotap dissector component resulting in a DoS condition. The vulnerability affects 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, it has been fixed with 2.6.3, 2.4.9, and 2.2.17.


Audio/Video Distribution Transport Protocol – CVE-2018-16058


The vulnerability exists as the source code epan/dissectors/packet-btavdtp.c of the vulnerable software improperly initializes the data structure. An attacker could exploit the vulnerability by injecting a malicious packet into a network that to be processed by the vulnerable application or by convincing a user to open the malicious packet trace file.

Successful exploitation of the vulnerability could crash the AVDTP dissector component resulting in a DoS condition. The vulnerability affects 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, it has been fixed with 2.6.3, 2.4.9, and 2.2.17.


All three vulnerabilities can be exploited by an attacker by injecting a malformed packet into a network, to be processed by the affected application, or by convincing a targeted user to open a malicious packet trace file.


Wireshark issued security patches for three critical vulnerabilities that allow an unauthenticated, remote attacker to crash the vulnerable installations leads to DoS condition.

Cisco demonstrates the Proof-of-concept (PoC) the exploit of this vulnerability is publicly available.




https://www.wireshark.org/docs/relnotes/wireshark-2.6.3.html

According to Cisco :


“The attacker may use misleading language and instructions to convince a user to open a malicious packet trace file. To inject malformed packets that the Wireshark application may attempt to parse, the attacker may need access to the trusted, internal network where the targeted system resides,” Cisco researchers have noted, and added that this access requirement may reduce the likelihood of a successful exploit.

Cisco recommends administrators to both firewall and antivirus applications to minimize the impact of threats and IP based ACL to allow only trusted IP’s to access the vulnerable system.


Patching the Vulnerabilites


  • Administrators are advised to apply the appropriate updates.

  • Administrators are advised to allow only trusted users to have network access.

  • Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

  • Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

  • Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

  • Administrators are advised to monitor affected systems.

©2019 Security Unleashed | New Delhi