CVE-2012-6060 in Wireshark
Summary
by MITRE
Integer overflow in the dissect_iscsi_pdu function in epan/dissectors/packet-iscsi.c in the iSCSI dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/20/2021
The vulnerability described in CVE-2012-6060 represents a critical integer overflow flaw within the iSCSI dissector component of Wireshark, specifically in the dissect_iscsi_pdu function located in epan/dissectors/packet-iscsi.c. This issue affects versions 1.6.x prior to 1.6.12 and 1.8.x prior to 1.8.4, creating a significant security risk for network analysis tools that rely on proper packet parsing. The vulnerability manifests when the dissector encounters malformed iSCSI protocol packets, particularly those with malformed PDU (Protocol Data Unit) structures that trigger incorrect integer arithmetic operations during packet analysis.
The technical implementation of this vulnerability stems from improper handling of integer values within the dissect_iscsi_pdu function where an integer overflow occurs during the calculation of packet lengths or offsets. When a remote attacker crafts a specially designed malformed iSCSI packet with values that exceed the maximum representable integer, the overflow condition causes the dissector to enter an infinite loop during packet processing. This occurs because the overflowed integer value becomes negative or wraps around to a large positive value, leading to incorrect loop termination conditions or buffer size calculations that cause the dissector to continuously process the same packet data without proper exit conditions.
The operational impact of this vulnerability is severe as it enables remote attackers to perform denial of service attacks against systems running affected versions of Wireshark. When a victim analyst opens a maliciously crafted capture file containing the malformed iSCSI packets or when Wireshark is configured to monitor network traffic containing such packets, the application becomes unresponsive or consumes excessive CPU resources. This behavior effectively renders the network analysis tool unusable for legitimate traffic analysis purposes, creating a significant operational disruption for security professionals who rely on Wireshark for network troubleshooting and security monitoring activities. The vulnerability can be exploited in both offline analysis scenarios with malicious capture files and online scenarios where real-time packet monitoring is performed.
This vulnerability aligns with CWE-190, which specifically addresses integer overflow conditions, and can be categorized under ATT&CK technique T1499.004 for network denial of service attacks. The flaw demonstrates poor input validation practices in protocol dissector implementations, where the software fails to properly validate packet structure parameters before performing arithmetic operations. The remediation approach involves implementing proper integer bounds checking and overflow detection mechanisms within the dissect_iscsi_pdu function to ensure that calculated values remain within valid ranges. The fix requires updating the dissector to validate packet length fields and other integer parameters before using them in loop conditions or memory allocation calculations. Additionally, implementing proper error handling and early termination conditions for malformed packets prevents the infinite loop scenario while maintaining the ability to identify and report problematic network traffic to users. The vulnerability serves as a reminder of the critical importance of robust input validation in network protocol analysis tools, where improper handling of malformed data can lead to complete system unresponsiveness and operational disruption for security teams relying on these essential diagnostic utilities.