CVE-2016-5351 in Wireshark
Summary
by MITRE
epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles the lack of an EAPOL_RSN_KEY, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/13/2022
The vulnerability identified as CVE-2016-5351 represents a critical denial of service flaw within Wireshark's IEEE 802.11 protocol dissector implementation. This issue specifically affects the airpdcap component responsible for processing wireless network packets and handling EAPOL (Extensible Authentication Protocol over LAN) key management. The vulnerability resides in the epan/crypt/airpdcap.c file where the software fails to properly handle scenarios where an EAPOL_RSN_KEY element is missing from crafted wireless packets. This flaw impacts Wireshark versions 1.12.x prior to 1.12.12 and 2.x versions prior to 2.0.4, making it a widespread concern across multiple release branches of the popular network protocol analyzer.
The technical nature of this vulnerability stems from inadequate input validation and error handling within the packet processing pipeline. When Wireshark encounters a wireless packet that lacks the expected EAPOL_RSN_KEY field, the dissector does not gracefully handle this missing element but instead proceeds with malformed data processing. This leads to memory corruption conditions and subsequent application crashes that result in complete service disruption. The flaw operates at the protocol parsing layer where the dissector attempts to access memory locations that have not been properly initialized or validated, creating a classic buffer overflow scenario that can be triggered remotely through network packet injection.
From an operational perspective, this vulnerability presents a significant risk to network security monitoring and forensic analysis operations that rely on Wireshark for packet inspection. An attacker can remotely trigger a denial of service condition by sending a single crafted wireless packet to any system running the vulnerable Wireshark version, causing the application to crash and terminate unexpectedly. This disruption can occur in various network monitoring scenarios including security operations centers, forensic investigations, and network troubleshooting environments where Wireshark is actively processing wireless traffic. The impact extends beyond simple service interruption as it can compromise ongoing network analysis activities and potentially provide attackers with information about the target system's configuration.
The vulnerability aligns with CWE-125, which describes "Out-of-bounds Read" conditions where software reads data past the boundaries of a valid buffer or array. Additionally, it demonstrates characteristics consistent with ATT&CK technique T1499.004, which involves network disruption through service availability attacks. Organizations using Wireshark for wireless network analysis should prioritize immediate patching of affected versions to prevent exploitation. The recommended mitigation strategy includes updating to Wireshark versions 1.12.12 or 2.0.4 and later, which contain the necessary code fixes to properly handle missing EAPOL_RSN_KEY elements. Network administrators should also implement network segmentation and access controls to limit exposure to potentially malicious packet injection attempts while monitoring for unusual network behavior that might indicate exploitation attempts.