CVE-2020-15466 – This CVE describes an infinite loop vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-15466?

CVE-2020-15466 has a CVSS score of 7.5 (HIGH). This CVE describes an infinite loop vulnerability in Wireshark's GVCP dissector that can cause denial of service. When processing malicious network packets, Wireshark versions 3.2.0 through 3.2.4 could hang or crash. This affects anyone using vulnerable Wireshark versions to analyze network traffic.

📋 TL;DR

This CVE describes an infinite loop vulnerability in Wireshark's GVCP dissector that can cause denial of service. When processing malicious network packets, Wireshark versions 3.2.0 through 3.2.4 could hang or crash. This affects anyone using vulnerable Wireshark versions to analyze network traffic.

💻 Affected Systems

Products:

Wireshark

Versions: 3.2.0 to 3.2.4

Operating Systems: All platforms running Wireshark

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when Wireshark processes GVCP (GigE Vision Control Protocol) packets. All installations within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where Wireshark crashes or becomes unresponsive, potentially causing data loss of captured packets and disrupting network analysis activities.

🟠

Likely Case

Wireshark becomes unresponsive when processing malicious GVCP packets, requiring restart and losing any unsaved capture data.

🟢

If Mitigated

Minimal impact if Wireshark is not used to analyze GVCP traffic or if proper network segmentation prevents malicious packets from reaching analysis systems.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool used internally.

🏢 Internal Only: MEDIUM - Internal attackers could craft malicious GVCP packets to crash Wireshark instances used for network monitoring or troubleshooting.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted GVCP packets to a network interface being monitored by Wireshark. No authentication needed as this is a parsing vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.2.5 and later

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2020-10.html

Restart Required: Yes

Instructions:

1. Download Wireshark 3.2.5 or later from wireshark.org. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure all components are updated.

🔧 Temporary Workarounds

Disable GVCP Dissector

all

Temporarily disable the vulnerable GVCP dissector to prevent exploitation while awaiting patch

wireshark -o gvcp.desegment:false
tshark -o gvcp.desegment:false

Filter GVCP Traffic

all

Use capture filters to exclude GVCP traffic from being processed by Wireshark

wireshark -f "not port 3956"
tshark -f "not port 3956"

🧯 If You Can't Patch

Restrict network access to Wireshark systems to prevent malicious GVCP packets from reaching them
Use alternative network analysis tools temporarily until Wireshark can be updated

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help → About Wireshark on GUI or 'wireshark --version' on command line. If version is between 3.2.0 and 3.2.4 inclusive, system is vulnerable.

Check Version:

wireshark --version | head -1

Verify Fix Applied:

Verify Wireshark version is 3.2.5 or later using 'wireshark --version' command. Test by capturing GVCP traffic to ensure no crashes occur.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application event logs showing Wireshark termination
System logs showing high CPU usage from Wireshark process

Network Indicators:

Unusual GVCP traffic patterns
Multiple GVCP packets with malformed structure
Traffic to port 3956 (GVCP default) with abnormal patterns

SIEM Query:

source="wireshark.log" AND ("crash" OR "hang" OR "unresponsive") OR destination_port=3956 AND packet_size<50

📊 Metadata

CVE ID: CVE-2020-15466

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: July 5, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00026.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00038.html Mailing List,Third Party Advisory
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16029 Issue Tracking,Vendor Advisory
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=11f40896b696e4e8c7f8b2ad96028404a83a51a4
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202007-13 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2020-09.html Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00026.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00038.html Mailing List,Third Party Advisory
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16029 Issue Tracking,Vendor Advisory
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=11f40896b696e4e8c7f8b2ad96028404a83a51a4
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202007-13 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2020-09.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15466, you might also want to check these: