Wireshark FC-SWILS Protocol Dissector Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the FC-SWILS protocol dissector of Wireshark. This issue is present in Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The vulnerability arises from a stack overflow in the 'dissect_swils_zone_obj()' function, which processes zone set objects by recursively calling itself for each member. The lack of a recursion depth guard allows a crafted packet to create excessive nesting, leading to a crash. This issue can be reproduced in 'tshark' with the '-V' flag, but not in the Wireshark GUI without additional user interaction.

Impact

Exploitation of this vulnerability causes 'tshark' to crash with a segmentation fault, exiting with code 139. While the Wireshark GUI is expected to crash, this has not been tested, the FC-SWILS dissector issue suggests that it would also crash.

Reproduction

The vulnerability can be reproduced by using 'tshark' version 4.7.0 with the '-V' flag, which is required to build the protocol tree. When 'tshark' is run with this flag, it processes each packet of a crafted pcap file that exploits the vulnerability, leading to a stack overflow and crash. The pcap file can be generated using a provided Python script that creates a payload exceeding 960KB by nesting zone objects, simulating the conditions needed to trigger the stack overflow.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.