The Wireshark Foundation has released version 4.6.7 of its widely-used network protocol analyzer, addressing twelve security vulnerabilities that could lead to application crashes or excessive resource consumption when processing specially crafted packets or capture files.
Security Vulnerabilities Patched
Wireshark’s extensive use in network analysis and troubleshooting makes it critical to maintain its robustness against malformed inputs. The latest update targets several protocol dissectors and file parsers, including:
- Catapult DCT2000: A flaw in this dissector could cause the application to crash upon processing malicious packets.
- SSH: Malformed SSH traffic had the potential to terminate Wireshark unexpectedly.
- IEEE 802.11: Crafted wireless frames could lead to application crashes.
- Z39.50: Specially crafted packets could cause the application to crash.
- UMTS FP: Malformed UMTS Frame Protocol traffic could trigger crashes.
- FMP/NOTIFY: Certain inputs could cause the dissector to enter excessive processing loops, consuming significant CPU resources.
- TLS Encrypted Client Hello: Crafted data could lead to crashes during decryption.
- pcapng: Malicious capture files could cause the parser to crash.
- BLF: Crafted Binary Logging Format files could expose unintended process or memory information.
- DBS Etherwatch: Malicious capture files could crash the parser.
- Ciscodump: Crafted input could cause the external capture utility to terminate unexpectedly.
One significant issue involved infinite loops in multiple protocol dissectors, which could be exploited to consume processing resources and disrupt analysis workflows. Another vulnerability in the BLF parser could result in information disclosure when opening crafted capture files.
Additional Bug Fixes and Enhancements
Beyond security patches, Wireshark 4.6.7 addresses sixteen non-security bugs to improve stability and usability. Notable fixes include:
- Ethernet POWERLINK Dissector: Resolved a use-after-free issue occurring during profile-loading errors.
- Android Logcat Parser: Fixed a heap-buffer-overflow vulnerability.
- Language Display: Corrected an issue where systems set to Dutch displayed the interface in German.
- IPv6 Ping Decoding: Addressed misidentification of IPv6 pings from Debian and other systems as HiPerConTracer traffic.
- HEVC Video Dissector: Fixed improper bit offset advancement causing packets to be marked as malformed.
- Recent Files Handling: Prevented heap corruption that could crash the application when loading the most recent saved file.
Changes for Plugin Developers
For plugin developers, the release documents a change introduced in version 4.6.0 regarding the location of external capture (extcap) helper binaries on UNIX-like systems. Wireshark now searches for these binaries in the libexec directory by default (e.g., /usr/libexec/wireshark/extcap). This aligns with standard practices for helper executables that do not require multi-architecture handling. While bundled extcap utilities already use this directory, third-party extcap packages may need adjustments to remain compatible. Developers can override the default search path by setting the WIRESHARK_EXTCAP_DIR environment variable. Distributions without a libexec directory, such as Alpine Linux, will continue using the previous binary location.
Regular updates like Wireshark 4.6.7 are essential for maintaining the security and reliability of network analysis tools. Users are encouraged to update promptly to benefit from these fixes and improvements.