CVE-2020-11647
📋 TL;DR
This CVE describes a denial-of-service vulnerability in Wireshark's BACapp dissector where excessive recursion could cause the application to crash. It affects Wireshark users analyzing network traffic containing BACnet/SC protocol data. The vulnerability allows attackers to disrupt network analysis operations.
💻 Affected Systems
- Wireshark
📦 What is this software?
Leap by Opensuse
Leap by Opensuse
Wireshark by Wireshark
Wireshark by Wireshark
Wireshark by Wireshark
⚠️ Risk & Real-World Impact
Worst Case
Complete crash of Wireshark during packet analysis, potentially causing loss of network monitoring capabilities and disrupting forensic investigations.
Likely Case
Wireshark crashes when processing specially crafted BACnet/SC packets, requiring restart and potentially losing unsaved analysis data.
If Mitigated
No impact if Wireshark is not used to analyze BACnet/SC traffic or if patched versions are deployed.
🎯 Exploit Status
Exploitation requires network access to send malicious packets to systems where Wireshark is capturing traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Wireshark 3.2.3, 3.0.10, 2.6.16 and later
Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2020-08.html
Restart Required: Yes
Instructions:
1. Download latest Wireshark version from wireshark.org. 2. Uninstall current version. 3. Install patched version. 4. Restart system or at least Wireshark application.
🔧 Temporary Workarounds
Disable BACapp dissector
allPrevent Wireshark from processing BACnet/SC packets by disabling the vulnerable dissector.
wireshark -o bacapp.desegment: FALSE
tshark -o bacapp.desegment: FALSE
Filter BACnet traffic
allUse capture filters to exclude BACnet/SC traffic from analysis.
Capture filter: not port 47808
Display filter: !bacapp
🧯 If You Can't Patch
- Restrict network access to systems running Wireshark to prevent malicious packet injection.
- Use network segmentation to isolate BACnet/SC traffic from general network monitoring systems.
🔍 How to Verify
Check if Vulnerable:
Check Wireshark version: Help → About Wireshark (GUI) or 'wireshark -v' (CLI). If version is within affected ranges, system is vulnerable.Check Version:
wireshark -v | grep -i 'wireshark'Verify Fix Applied:
Verify version is 3.2.3+, 3.0.10+, or 2.6.16+ using 'wireshark -v' command.📡 Detection & Monitoring
Log Indicators:
- Wireshark crash logs or core dumps
- Application event logs showing Wireshark abnormal termination
Network Indicators:
- Unusual BACnet/SC traffic patterns targeting monitoring systems
- Multiple BACnet packets with recursive structures
SIEM Query:
source="wireshark.log" AND ("crash" OR "segmentation fault" OR "abnormal termination")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00038.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474
- https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=6f56fc9496db158218243ea87e3660c874a0bab0
- https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html
- https://security.gentoo.org/glsa/202007-13
- https://www.wireshark.org/security/wnpa-sec-2020-07.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00038.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474
- https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=6f56fc9496db158218243ea87e3660c874a0bab0
- https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html
- https://security.gentoo.org/glsa/202007-13
- https://www.wireshark.org/security/wnpa-sec-2020-07.html
