CVE-2018-11356 in Wireshark
Summary
by MITRE
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS dissector could crash. This was addressed in epan/dissectors/packet-dns.c by avoiding a NULL pointer dereference for an empty name in an SRV record.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/14/2023
The vulnerability identified as CVE-2018-11356 represents a critical denial of service flaw within Wireshark's DNS protocol dissector functionality. This issue affects multiple versions of the popular network protocol analyzer, specifically targeting releases 2.6.0, 2.4.0 through 2.4.6, and 2.2.0 through 2.2.14. The flaw manifests as a potential crash condition that can be triggered during packet analysis of DNS traffic, particularly when processing SRV (Service) records containing empty names. The vulnerability stems from inadequate input validation within the packet-dns.c file, where the dissector fails to properly handle edge cases involving null or empty string values in DNS resource records.
The technical root cause of this vulnerability aligns with CWE-476, which describes NULL pointer dereference conditions in software implementations. When the DNS dissector encounters an SRV record with an empty name field, the code attempts to dereference a null pointer without proper null checking mechanisms. This type of error represents a classic buffer over-read scenario where the application fails to validate the integrity of parsed DNS data before attempting to process it. The issue specifically affects the handling of service records that may contain malformed or incomplete name fields, creating an execution path that leads to program termination rather than graceful error handling.
From an operational perspective, this vulnerability presents significant risk to network security analysts and forensic investigators who rely on Wireshark for traffic analysis. An attacker could potentially craft malicious DNS packets containing specially formatted SRV records with empty names to crash Wireshark applications, effectively preventing network monitoring and analysis operations. This denial of service condition impacts both automated network monitoring systems and manual forensic analysis workflows, potentially disrupting critical security operations. The vulnerability demonstrates how seemingly benign protocol parsing can become a vector for service disruption when proper error handling is absent.
The remediation for CVE-2018-11356 involved implementing proper null pointer validation within the epan/dissectors/packet-dns.c file, specifically addressing the handling of empty names in SRV records. This fix aligns with defensive programming practices recommended in the ATT&CK framework for network monitoring tools, where input validation and error handling are critical components of secure software development. Organizations should prioritize updating their Wireshark installations to versions that include this patch, as the vulnerability represents a straightforward exploitation vector that does not require advanced technical skills to implement. The fix demonstrates the importance of robust input validation in protocol analysis tools, where malformed network traffic should never cause application crashes but rather be handled gracefully with appropriate logging and error reporting mechanisms.