Wireshark SANE Protocol Dissector Infinite Loop Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the SANE (Scanner Access Now Easy) protocol dissector of Wireshark. This issue is present in Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The vulnerability arises from an unbounded loop in the function 'dissect_control_option_value()', which can iterate up to 2^31 times when the 'value_type' field is set to an unrecognized value. This flaw can be exploited by sending a crafted Ethernet frame, causing Wireshark or TShark to hang indefinitely, consume 100% CPU, and ultimately crash.

Impact

Exploitation of this vulnerability leads to an infinite loop, causing the application to consume excessive CPU resources, which can result in a crash.

Reproduction

The vulnerability can be reproduced by using TShark to read a crafted PCAP file containing SANE control option values that trigger the infinite loop. This can be done by disabling IP defragmentation and using a timeout to limit the duration of the TShark process before it is killed.

Remediation

Users can upgrade to Wireshark versions 4.6.5 or 4.4.15, where this vulnerability has been fixed.