CVE-2023-1993: LISP Dissector Large Loop Vulnerability in Wireshark 4.. to 4..4 and 3.6. to 3.6.12 Allowing Denial of Service Attacks

A newly discovered vulnerability has been found in the Wireshark tool, specifically in the LISP (Locator/ID Separation Protocol) dissector. Wireshark is a commonly used, open-source network protocol analyzer tool that allows users to see what’s happening on their networks at a microscopic level. The vulnerability allows attackers to cause a denial of service (DoS) attack by injecting a specifically crafted packet into the network or by simply providing a malicious capture file. In this post, we will take a detailed look at this vulnerability, discuss how it can be exploited, and provide relevant code snippets and reference links.

Vulnerability Details

The vulnerability, assigned the identifier CVE-2023-1993, affects Wireshark versions 4.. to 4..4 and 3.6. to 3.6.12. The issue specifically impacts the LISP dissector component, which is responsible for analyzing and processing LISP protocol data within Wireshark.

The vulnerability involves a large loop within the LISP dissector, which can be exploited to cause a denial of service attack. This can be achieved either via injecting a malicious packet on the network that would be captured by the Wireshark tool or by providing a specifically crafted capture file that, when opened with Wireshark, will cause the application to crash or hang.

Here's a snippet of the vulnerable code within the LISP dissector component

static void
dissect_lisp_mapping(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
  ...
  for (i = ; i < record_count; i++) {
      guint8 prefix_len = ;
      guint32 eid_prefix;

      /* Read prefix_len and eid_prefix */
      ...

      /* Trigger the vulnerable large loop */
      while (prefix_len > ) {
          proto_tree_add_item(tree, hf_lisp_eid_prefix, tvb,
                              offset + (i * 4), 4, ENC_BIG_ENDIAN);
          prefix_len -= 8;
      }
  }
  ...
}

As mentioned earlier, the vulnerability is a consequence of the large loop that occurs when processing the prefix_len variable. If an attacker can manipulate this value, they can create a situation where the loop would continue for an extended period, effectively causing a denial of service state within the Wireshark application.

Exploit Details

Exploiting this vulnerability requires the attacker to craft a specific LISP protocol packet or a malicious capture file (.pcap) with a large prefix_len value. Upon injecting the crafted packet into the network or having the victim open the malicious capture file, the Wireshark tool would start processing the packet and eventually enter the large loop within the LISP dissector. This would result in the Wireshark application hanging or crashing, disrupting the service it provides.

Original References

1. Wireshark Security Advisory
2. CVE-2023-1993 Vulnerability Information

Mitigation and Recommendations

To mitigate this vulnerability, users are advised to update their Wireshark installations to versions 4..5 or 3.6.13, which have the vulnerability fixed. Moreover, users should be cautious when opening unrecognized capture files and exercise proper network security practices to prevent malicious packet injections.

Conclusion

The CVE-2023-1993 vulnerability poses a significant risk to users of Wireshark 4.. to 4..4 and 3.6. to 3.6.12 as an attacker could exploit the LISP dissector large loop to cause a denial of service condition. It's important to take the necessary steps to mitigate the risks associated with this vulnerability, including updating Wireshark to a newer, more secure version.

Timeline

Published on: 04/12/2023 21:15:00 UTC
Last modified on: 06/16/2023 04:15:00 UTC