CVE-2015-6249 in Wireshark
Summary
by MITRE
The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.12.x before 1.12.7 does not prevent the conflicting use of a table for both IPv4 and IPv6 addresses, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/13/2022
The vulnerability identified as CVE-2015-6249 resides within the Wireshark network protocol analyzer software, specifically in the WCCP dissector component that handles Web Cache Communication Protocol version 2 requests. This issue affects Wireshark versions 1.12.x prior to 1.12.7, where the dissect_wccp2r1_address_table_info function fails to properly validate address table configurations. The flaw manifests when the dissector encounters packets that attempt to utilize a single table for both IPv4 and IPv6 address types simultaneously, creating a conflict in the internal data structures that Wireshark uses to parse network traffic.
The technical implementation of this vulnerability stems from inadequate input validation within the WCCP dissector module. When Wireshark processes network packets containing WCCP version 2 data, the dissect_wccp2r1_address_table_info function does not properly check for conflicting address type specifications within the same table structure. This allows an attacker to craft malicious packets that specify both IPv4 and IPv6 address formats for the same table entry, causing the dissector to attempt operations that lead to memory corruption and subsequent application instability. The flaw represents a classic case of improper handling of conflicting data structures and demonstrates a lack of proper boundary checking in protocol parsing logic.
The operational impact of this vulnerability extends beyond simple denial of service conditions, as it can result in complete application crashes that disrupt network analysis operations. Network administrators and security analysts who rely on Wireshark for traffic monitoring and forensic analysis may experience unexpected application termination when processing maliciously crafted packets. This disruption can occur during routine network monitoring, security incident response activities, or during network troubleshooting sessions where the dissector encounters the malformed WCCP packets. The vulnerability essentially allows remote attackers to remotely compromise the stability of network analysis tools, potentially interrupting critical network operations and security monitoring activities.
The vulnerability aligns with CWE-129, which addresses improper validation of input boundaries, and can be categorized under ATT&CK technique T1059 for execution through network protocols. The root cause demonstrates poor defensive programming practices where the dissector fails to implement proper validation checks before processing conflicting address type specifications. Mitigation strategies should focus on upgrading to Wireshark 1.12.7 or later versions where the issue has been resolved through improved input validation and proper handling of address table configurations. Network administrators should also consider implementing network segmentation and packet filtering rules that can prevent malicious WCCP packets from reaching systems running vulnerable versions of Wireshark, though this approach only provides partial protection as the vulnerability can be exploited through legitimate network traffic analysis scenarios. The fix implemented in the patched versions ensures that address table configurations are properly validated before processing, preventing the application crash scenario that occurred when conflicting address types were encountered.