Wireshark ZigBee Protocol Dissector Denial-of-Service Vulnerability

A stack-based buffer overflow vulnerability has been identified in the ZigBee Direct protocol dissector of Wireshark. This issue is present in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The vulnerability allows for a denial-of-service condition, where the application crashes due to the improper handling of packet data. The 'decrypt_data' function in the ZigBee dissector allocates a fixed-size buffer on the stack but fails to validate the length of the input before performing decryption. This oversight enables an attacker to manipulate the length parameter, causing a buffer overflow that corrupts the stack and leads to a crash.

Impact

Exploitation of this vulnerability causes Wireshark to crash, with a segmentation fault indicating a stack-buffer-overflow error. This has been confirmed in a standard Wireshark build as well as one with AddressSanitizer (ASAN) enabled, which detected the stack-buffer-overflow issue.

Reproduction

The vulnerability can be reproduced by using Wireshark to open a packet capture file (PCAPNG) that contains malformed ZigBee Direct packets. This can be done manually or by using a Python script to generate the exploit. Once the file is opened in Wireshark, the application will crash, demonstrating the buffer overflow vulnerability.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.