Wireshark LZ77 Decompression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The issue arises in the dissection engine's LZ77 decompression process, where the decompressor can enter a loop of approximately 4.29 billion iterations. This flaw is triggered by a crafted SMB2 Compression Transform Header that exploits the decompressor's lack of output size limitations, leading to excessive CPU consumption and causing Wireshark to crash.

Impact

Exploitation of this vulnerability leads to a crash of the Wireshark application, causing a complete denial-of-service condition. Additionally, during the exploitation, Wireshark can consume excessive CPU resources, further exacerbating the denial-of-service effect.

Reproduction

The vulnerability can be reproduced by using TShark, Wireshark's command-line version, to read a packet capture file (PCAP) that contains the crafted SMB2 LZ77 decompression bomb. This PCAP file can be uploaded to the Wireshark GitLab repository. When TShark processes the file, it may hang or become unresponsive due to the excessive iterations caused by the decompression loop.

Remediation

Users can upgrade to Wireshark versions 4.6.5, 4.4.15 or later to address this vulnerability.