Wireshark USB HID Dissector Infinite Loop Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in the USB HID protocol dissector of Wireshark. This issue is present in versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The vulnerability arises from an attacker-controlled 'REPORT_COUNT' being used directly as a loop bound without proper validation. By sending a malicious HID report descriptor with 'REPORT_SIZE' set to zero and a large 'REPORT_COUNT', the dissector can be forced into an infinite loop. This loop consumes excessive CPU resources and memory, leading to a crash as the system runs out of available resources.

Impact

Exploitation of this vulnerability causes extreme CPU exhaustion and memory consumption, resulting in an out-of-memory termination of the Wireshark process.

Reproduction

The vulnerability can be reproduced by crafting a USB HID report descriptor that includes a 'REPORT_SIZE' of zero and a 'REPORT_COUNT' of 0xFFFFFFFF. This descriptor can be included in a USB packet capture file. When Wireshark processes this file, the USB HID dissector will enter an infinite loop, consuming CPU and memory until the process is killed.

Remediation

Users can upgrade to Wireshark versions 4.6.5 or 4.4.15, where this vulnerability has been fixed.