Wireshark WebSocket Protocol Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The issue arises in the WebSocket protocol dissector, where unbounded decompression of compressed WebSocket frames can lead to excessive memory consumption. This flaw allows for a crafted WebSocket frame to inflate significantly, causing Wireshark to crash or to use an excessive amount of system resources.

Impact

Exploitation of this vulnerability can cause Wireshark to crash or to consume excessive system resources, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using TShark, the command-line version of Wireshark, to read a capture file that contains a compressed WebSocket frame. The capture file must include an HTTP 101 upgrade negotiation for 'permessage-deflate', followed by a compressed binary frame. This can be done by injecting a malformed packet into the network or by convincing a user to open a packet trace file that contains the crafted WebSocket frame.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.