Wireshark UDS Protocol Dissector Infinite Loop Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the UDS protocol dissector of Wireshark. This issue, present in versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14, arises from a malformed UDS request frame that causes the dissection process to enter an infinite loop. The loop is triggered by an attacker-controlled byte that, when set to zero, creates a condition where the dissection offset does not advance, preventing the loop from terminating. This flaw exploits a lack of proper input validation, allowing for excessive CPU usage and application hangs, particularly in the Wireshark GUI and when using tshark, the command-line version of Wireshark.

Impact

Exploitation of this vulnerability leads to a complete application hang, causing Wireshark or tshark to become unresponsive. This can disrupt automated processes that rely on tshark, such as CI pipelines or forensics workflows.

Reproduction

The vulnerability can be reproduced by sending a UDS request frame with specific characteristics: the service ID must be 0x2C, the subfunction 0x02, and the addressAndLengthFormatIdentifier set to 0x00. This crafted packet can be included in a pcap file, which, when opened with Wireshark or processed with tshark, will cause the application to hang indefinitely.

Remediation

Users can upgrade to Wireshark versions 4.6.5, 4.4.15 or later. If an immediate upgrade is not possible, the UDS dissector can be disabled in the Wireshark settings, untrusted pcap files should be avoided, and tshark can be run with a timeout to prevent hangs.