CVE-2019-19553 – This vulnerability in Wireshark allows attacker... (How to Fix)

Q: What is the severity of CVE-2019-19553?

CVE-2019-19553 has a CVSS score of 7.5 (HIGH). This vulnerability in Wireshark allows attackers to cause a denial of service (crash) by sending specially crafted CMS (Cryptographic Message Syntax) packets. It affects Wireshark users analyzing network traffic containing malicious CMS content. The crash occurs during packet dissection when the CMS dissector fails to properly handle object identifiers.

📋 TL;DR

This vulnerability in Wireshark allows attackers to cause a denial of service (crash) by sending specially crafted CMS (Cryptographic Message Syntax) packets. It affects Wireshark users analyzing network traffic containing malicious CMS content. The crash occurs during packet dissection when the CMS dissector fails to properly handle object identifiers.

💻 Affected Systems

Products:

Wireshark

Versions: Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when dissecting CMS (Cryptographic Message Syntax) packets. All default configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Wireshark crash leading to loss of ongoing packet capture analysis and potential data loss if unsaved.

🟠

Likely Case

Wireshark application crash when analyzing malicious network traffic, disrupting network analysis activities.

🟢

If Mitigated

No impact if Wireshark is not used to analyze CMS traffic or if patched version is deployed.

🌐 Internet-Facing: LOW - Wireshark is typically not an internet-facing service but a network analysis tool.

🏢 Internal Only: MEDIUM - Internal network analysts using vulnerable Wireshark versions could experience crashes when analyzing malicious traffic.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious CMS packets to network being analyzed. Proof of concept available in bug reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.0.7 and 2.6.13

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2019-23.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark version from wireshark.org. 2. Uninstall current version. 3. Install patched version. 4. Restart system.

🔧 Temporary Workarounds

Disable CMS dissector

all

Prevent Wireshark from dissecting CMS packets by disabling the CMS protocol dissector

wireshark -o cms.desegment:false
tshark -o cms.desegment:false

Filter CMS traffic

all

Use capture filters to exclude CMS traffic from analysis

not port 989 or 990
not tcp port 989 or 990

🧯 If You Can't Patch

Restrict Wireshark use to trusted network segments only
Implement network monitoring to detect and block malicious CMS traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: if between 2.6.0-2.6.12 or 3.0.0-3.0.6, system is vulnerable

Check Version:

wireshark -v | grep "Wireshark" or tshark -v | grep "TShark"

Verify Fix Applied:

Verify Wireshark version is 2.6.13+ or 3.0.7+ and test with known malicious CMS packet samples

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error reports mentioning CMS dissector
Segmentation fault errors in system logs

Network Indicators:

Malformed CMS packets in network traffic
Unusual CMS protocol traffic patterns

SIEM Query:

source="wireshark.log" AND ("crash" OR "segmentation fault" OR "CMS")

📊 Metadata

CVE ID: CVE-2019-19553

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-909

Published: December 5, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html Mailing List,Third Party Advisory
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961 Issue Tracking,Vendor Advisory
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=34d2e0d5318d0a7e9889498c721639e5cbf4ce45
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2019-22.html Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html Mailing List,Third Party Advisory
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961 Issue Tracking,Vendor Advisory
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=34d2e0d5318d0a7e9889498c721639e5cbf4ce45
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2019-22.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19553, you might also want to check these: