Wireshark SMB2 Protocol Dissector Infinite Loop Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the SMB2 protocol dissector of Wireshark. This issue is present in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The vulnerability arises from the 'dissect_smb2_notify_data_out()' and 'dissect_smb2_file_full_ea_info()' functions, which can enter an infinite loop. This loop causes 'tshark' to use nearly 100% of CPU resources until the process is forcibly terminated. The issue can be triggered by a single TCP segment containing a crafted payload of just 104 bytes, without any user configuration required.

Impact

Exploitation of this vulnerability leads to a CPU denial-of-service condition, where the 'tshark' process consumes 100% of CPU resources indefinitely, requiring an external intervention to terminate the process.

Reproduction

The vulnerability can be reproduced by sending a crafted SMB2 packet that exploits the dissector's lack of proper offset handling. This can be done using the provided Python script 'smb2_notify_infinite_loop_send.py', which sends the malicious packet to a 'tshark' instance listening on the default SMB port (445). Alternatively, the issue can be reproduced by using 'tshark' to read a capture file ('smb2_notify_infinite_loop.pcap') that contains the crafted packet, which will cause 'tshark' to hang and consume 100% CPU until the process is killed.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.