CVE-2019-10896 – CVE-2019-10896 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2019-10896?

CVE-2019-10896 has a CVSS score of 7.5 (HIGH). CVE-2019-10896 is a denial-of-service vulnerability in Wireshark's DOF dissector that could cause the application to crash when processing specially crafted packets. This affects Wireshark users analyzing network traffic containing DOF protocol data. The vulnerability allows remote attackers to disrupt packet analysis operations.

📋 TL;DR

CVE-2019-10896 is a denial-of-service vulnerability in Wireshark's DOF dissector that could cause the application to crash when processing specially crafted packets. This affects Wireshark users analyzing network traffic containing DOF protocol data. The vulnerability allows remote attackers to disrupt packet analysis operations.

💻 Affected Systems

Products:

Wireshark

Versions: 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when analyzing packets using the DOF (Distributed Object Facility) dissector. Users must be actively analyzing network traffic containing DOF protocol data.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete crash of Wireshark during packet analysis, potentially causing loss of ongoing network monitoring or forensic investigation data.

🟠

Likely Case

Application crash requiring restart, interrupting network analysis sessions and potentially causing data loss from unsaved captures.

🟢

If Mitigated

Minimal impact if Wireshark is not used to analyze DOF protocol traffic or if the vulnerable dissector is disabled.

🌐 Internet-Facing: LOW - Wireshark is typically not an internet-facing service but a desktop analysis tool.

🏢 Internal Only: MEDIUM - Internal network analysts using Wireshark could have their analysis sessions disrupted by crafted packets on monitored networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to inject specially crafted DOF packets into network traffic being analyzed. The bug report includes crash details that could facilitate exploit development.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Wireshark 2.4.14, 2.6.8, and 3.0.1

Vendor Advisory: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15617

Restart Required: Yes

Instructions:

1. Download latest patched version from wireshark.org. 2. Uninstall old version. 3. Install new version. 4. Restart system if prompted.

🔧 Temporary Workarounds

Disable DOF dissector

all

Prevent Wireshark from parsing DOF protocol packets by disabling the dissector

In Wireshark: Analyze -> Enabled Protocols -> Uncheck 'DOF'

Use capture filters

all

Filter out DOF traffic from being captured

Use capture filter: not port 65000 (common DOF port)

🧯 If You Can't Patch

Disable the DOF dissector in Wireshark protocol settings
Implement network segmentation to limit exposure to potentially malicious DOF traffic

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help -> About Wireshark. If version is 2.4.0-2.4.13, 2.6.0-2.6.7, or exactly 3.0.0, you are vulnerable.

Check Version:

wireshark --version (Linux) or check About dialog (Windows)

Verify Fix Applied:

Verify Wireshark version is 2.4.14+, 2.6.8+, or 3.0.1+. Test with sample DOF traffic to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error events in system logs

Network Indicators:

Unusual DOF protocol traffic patterns
Malformed DOF packets

SIEM Query:

EventID: 1000 OR EventID: 1001 AND ProcessName: wireshark.exe

📊 Metadata

CVE ID: CVE-2019-10896

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: April 9, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00022.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00027.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/107834 Broken Link,Third Party Advisory,VDB Entry
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15617 Exploit,Issue Tracking,Patch,Vendor Advisory
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=441b6d9071d6341e58dfe10719375489c5b8e3f0
https://lists.debian.org/debian-lts-announce/2020/10/msg00036.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4LYIOOQIMFQ3PA7AFBK4DNXHISTEYUC5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU3QA2DUO3XS24QE24CQRP4A4XQQY76R/
https://usn.ubuntu.com/3986-1/ Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2019-15.html Release Notes,Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00022.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00027.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/107834 Broken Link,Third Party Advisory,VDB Entry
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15617 Exploit,Issue Tracking,Patch,Vendor Advisory
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=441b6d9071d6341e58dfe10719375489c5b8e3f0
https://lists.debian.org/debian-lts-announce/2020/10/msg00036.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4LYIOOQIMFQ3PA7AFBK4DNXHISTEYUC5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU3QA2DUO3XS24QE24CQRP4A4XQQY76R/
https://usn.ubuntu.com/3986-1/ Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2019-15.html Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10896, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Leap by Opensuse

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Wireshark by Wireshark

Wireshark by Wireshark

Wireshark by Wireshark

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable DOF dissector

Use capture filters

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities