Wireshark DLMS/COSEM Dissector Infinite Loop Denial-of-Service Vulnerability

An infinite loop vulnerability has been identified in the DLMS/COSEM protocol dissector of Wireshark. This issue is present in versions 4.6.0 through 4.6.4. The vulnerability causes TShark, the command-line version of Wireshark, to consume 100% of CPU resources indefinitely, requiring the process to be terminated manually. The issue can be triggered by a single crafted UDP packet, 63 bytes in size, sent to port 4059, which is registered for DLMS/COSEM by default.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where TShark hangs in an infinite loop, using 100% of CPU resources until the process is forcibly killed.

Reproduction

The vulnerability can be reproduced by sending a UDP packet that exploits the dissector's handling of compact arrays in the DLMS/COSEM protocol. This can be done using a Python script that generates the appropriate packet and sends it to a TShark instance listening on the default DLMS/COSEM port.

Remediation

Users can upgrade to Wireshark version 4.6.4, where this vulnerability has been fixed.