CVE-2019-16319
📋 TL;DR
This vulnerability in Wireshark allows an attacker to cause a denial of service by triggering an infinite loop in the Gryphon protocol dissector. When processing specially crafted network packets, affected Wireshark versions could hang or crash, disrupting packet analysis. Users running Wireshark 2.6.0-2.6.10 or 3.0.0-3.0.3 are affected.
💻 Affected Systems
- Wireshark
📦 What is this software?
Leap by Opensuse
Wireshark by Wireshark
Wireshark by Wireshark
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where Wireshark becomes unresponsive, potentially causing packet capture loss and disrupting network analysis operations.
Likely Case
Wireshark process hangs or crashes when analyzing malicious Gryphon protocol packets, requiring manual restart and losing current capture data.
If Mitigated
Minimal impact with proper network segmentation and monitoring; Wireshark restarts automatically after crash.
🎯 Exploit Status
Exploitation requires sending specially crafted Gryphon protocol packets to a network segment being monitored by vulnerable Wireshark.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Wireshark 2.6.11, 3.0.4, or later
Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2019-21.html
Restart Required: Yes
Instructions:
1. Download latest Wireshark from wireshark.org/download.html
2. Uninstall current version
3. Install patched version
4. Restart system or at least Wireshark processes
🔧 Temporary Workarounds
Disable Gryphon dissector
allPrevent Wireshark from processing Gryphon protocol packets
Edit preferences -> Protocols -> Gryphon -> Uncheck 'Enable Gryphon protocol dissection'
Filter Gryphon traffic
allUse capture filters to block Gryphon packets from being processed
Use capture filter: not gryphon
🧯 If You Can't Patch
- Implement network segmentation to isolate Wireshark monitoring interfaces from untrusted traffic
- Monitor Wireshark process health and implement automatic restart on crash detection
🔍 How to Verify
Check if Vulnerable:
Check Wireshark version: Help -> About Wireshark. If version is 2.6.0-2.6.10 or 3.0.0-3.0.3, you are vulnerable.Check Version:
wireshark --version | grep 'Wireshark'Verify Fix Applied:
Verify version is 2.6.11+, 3.0.4+, or later. Test with sample Gryphon packets to ensure no infinite loop occurs.📡 Detection & Monitoring
Log Indicators:
- Wireshark crash logs
- Process monitoring showing Wireshark hanging with high CPU usage
- System logs showing Wireshark process termination
Network Indicators:
- Unusual Gryphon protocol packets on monitored segments
- Repeated Gryphon packets from single source
SIEM Query:
ProcessName="wireshark" AND (EventID=1000 OR CPUUsage>90% FOR 60s)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020
- https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=02ddd49885c6a09e936a76aceb726ed06539704a
- https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html
- https://www.wireshark.org/security/wnpa-sec-2019-21.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020
- https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=02ddd49885c6a09e936a76aceb726ed06539704a
- https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html
- https://www.wireshark.org/security/wnpa-sec-2019-21.html
