"The code difference shows that the team opted to fix the issue by copying potentially malicious URLs to the clipboard rather than opening them directly." High barrier to exploitationĮuler added that, contrary to Wireshark's advisory, older versions of the utility before the officially supported versions 3.4.x and 3.2.x, are also vulnerable. "The issue on GitLab also links the relevant merge requests," Euler told The Daily Swig. #WIRESHARK LINUX VULNERABILITY UPDATE#In a security advisory, Wireshark advises users to update to versions 3.4.4 or 3.2.12, both of which have been patched to address the issue. #WIRESHARK LINUX VULNERABILITY WINDOWS#On Windows with JRE installed, a simple double click on a crafted field is enough to cause code execution on the victim's system.” Read more of the latest security vulnerability newsĮuler warned: “An attacker could distribute malicious capture files and entice people to inspect them. jar file is executed.Ī similar attack with the same effect might be run against Wireshark users on Xubuntu but featuring NFS share and a malicious. On Windows machines, if a user opens the malicious pcap file and double-clicks the file URL, the WebDAV share is mounted in the background and the. http and https URLs passed to this function are opened by the browser which is generally safe.įor some other schemes like dav and file however, referenced files will be opened by the system’s standard application associated with their file type.īy preparing internet-hosted file shares and executable files, arbitrary code execution can be achieved via malicious pcap(ng) files or captured live-traffic and some user interaction. Some fields in the Wireshark proto_tree are double-clickable and pass URLs with arbitrary schemes to the QDesktopServices::openUrl function. The root cause of the problem is that for some schemes, referenced files will be opened by the system’s standard application associated with a particular file type, as Euler explains in his blog post: 17-year-old bugĪ discussion on source code management platform GitLab suggests the issue may have been introduced with changes to Wireshark made as long as 17 years ago. The issue, tracked as CVE-2021-22191, was resolved through a recent update. The attack, discovered by security researcher Lukas Euler of Positive Security, is explained in a recent post on GitLab that features proof-of-concept videos.Įven though developers of Wireshark normally avoid asking for a CVE to be created for potential security issues that require user interaction, an exception was made in this case because of the “low barrier to entry and level of control” an attacker might gain. Variants of the same attack could potentially be thrown against users of the popular network security tool, widely used by security analysts and penetration testers, whether they use Windows or Xubuntu Linux-based systems. Maliciously constructed Wireshark packet capture files might be used to distribute malware, providing recipients can be tricked into double clicking file URL fields. CVE assigned due to potential for harm even though some social engineering trickery is required
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |