The Wireshark development team has fixed three serious flaws that could be exploited by a remote unauthenticated attacker to trigger a DoS condition in the world’s most popular network protocol analyzer.
The three vulnerabilities tracked as CVE-2018-16056, CVE-2018-16057 and CVE-2018-16058 affect respectively the Bluetooth Attribute Protocol (ATT) dissector, the Radiotap dissector, and the Audio/Video Distribution Transport Protocol (AVDTP) dissector components of Wireshark.
A proof-of-concept (PoC) code exploit for each flaw is publicly available, the vulnerabilities are trivial to exploit, an attacker can exploit the vulnerabilities by injecting a malformed packet into a network. The attackers have to trick the victim into opening a malicious packet trace file.
“To exploit the vulnerability, the attacker may use misleading language and instructions to convince a user to open a malicious packet trace file.” reads the security advisory published for the CVE-2018-16057 flaw.
“To inject malformed packets that the Wireshark application may attempt to parse, the attacker may need access to the trusted, internal network where the targeted system resides. This access requirement may reduce the likelihood of a successful exploit.”
Anyway, to trigger the flaw it is necessary to access to a malicious packet trace file, a circumstance that makes the likelihood of exploitation very low.
Wireshark users need to upgrade their install to one of these: 2.6.3, 2.4.9, or 2.2.17.
Below the list of safeguards provided by Cisco in the security advisory:
- Administrators are advised to apply the appropriate updates.
- Administrators are advised to allow only trusted users to have network access.
- Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
- Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
- Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
- Administrators are advised to monitor affected systems.
To read the original article