Wireshark Heap-Based Buffer Overflow Vulnerability in TLS Dissector Allowing Denial-of-Service and Possible Code Execution

A heap-based buffer overflow vulnerability has been identified in the TLS protocol dissector of Wireshark versions 4.6.0 to 4.6.4. This vulnerability allows for a denial-of-service condition and potentially enables the execution of untrusted code. The issue arises from an integer truncation in the processing of Encrypted Client Hello (ECH) extensions, which can be exploited by injecting a malformed packet or by convincing a user to open a compromised packet trace file.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, allowing for a crash of the Wireshark application and the potential execution of untrusted code.

Reproduction

The vulnerability can be reproduced by opening a crafted packet capture file (.pcapng) that contains a malicious TLS ClientHello message. This can be done manually or by using a provided Python script that automates the process. The exploitation can be verified using AddressSanitizer, which will report the heap overflow as a crash.

Remediation

Users are advised to upgrade to Wireshark version 4.6.5 or later.