Wireshark MBIM Protocol Dissector Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the MBIM protocol dissector of Wireshark. This issue, present in versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14, arises from an infinite loop caused by unchecked buffer length data. When a malformed MBIM packet is processed, the dissector can enter a loop that iterates millions of times, consuming excessive CPU resources.

Impact

Exploitation of this vulnerability can lead to a significant increase in CPU usage, causing Wireshark to become unresponsive. This effect can be achieved by injecting a malformed MBIM packet into the network or by opening a packet trace file that contains such a packet.

Reproduction

The vulnerability can be reproduced by using TShark, the command-line version of Wireshark, to read a packet capture file (PCAPNG) that contains a specially crafted MBIM COMMAND_MSG. This message should include a 'info_buff_len' value that is excessively large, such as 536MB. When this packet is processed, it triggers the infinite loop in the dissector.

Remediation

Users can upgrade to Wireshark versions 4.6.5, 4.4.15 or later to address this vulnerability.