CVE-2020-25862 – This vulnerability in Wireshark's TCP dissector... (How to Fix)

Q: What is the severity of CVE-2020-25862?

CVE-2020-25862 has a CVSS score of 7.5 (HIGH). This vulnerability in Wireshark's TCP dissector allows remote attackers to cause a denial of service (crash) by sending specially crafted TCP packets with an invalid 0xFFFF checksum. It affects users running vulnerable versions of Wireshark to analyze network traffic. The crash occurs during packet dissection when processing malformed TCP segments.

📋 TL;DR

This vulnerability in Wireshark's TCP dissector allows remote attackers to cause a denial of service (crash) by sending specially crafted TCP packets with an invalid 0xFFFF checksum. It affects users running vulnerable versions of Wireshark to analyze network traffic. The crash occurs during packet dissection when processing malformed TCP segments.

💻 Affected Systems

Products:

Wireshark

Versions: Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: All Wireshark installations within the affected version ranges are vulnerable when analyzing TCP traffic. The vulnerability is triggered during normal packet dissection operations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes when analyzing malicious network traffic, disrupting network analysis and monitoring activities. In automated environments, this could cause monitoring systems to fail.

🟠

Likely Case

Wireshark crashes when encountering specially crafted TCP packets, requiring manual restart of the application. This disrupts network troubleshooting and analysis work.

🟢

If Mitigated

With proper segmentation and limited network exposure, the impact is minimal as Wireshark would only crash when analyzing malicious traffic from trusted sources.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted TCP packets that would be processed by Wireshark. No authentication is needed as this is triggered during packet analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.2.7, 3.0.14, and 2.6.21

Vendor Advisory: https://gitlab.com/wireshark/wireshark/-/issues/16816

Restart Required: Yes

Instructions:

1. Download the patched version from wireshark.org. 2. Uninstall the vulnerable version. 3. Install the patched version. 4. Restart Wireshark and any related services.

🔧 Temporary Workarounds

Disable TCP dissection

all

Prevents Wireshark from dissecting TCP packets, which avoids triggering the vulnerability but limits functionality

Edit preferences -> Protocols -> TCP -> Uncheck 'Allow subdissector to reassemble TCP streams'

Use capture filters

all

Filter out potentially malicious TCP traffic before it reaches Wireshark

Use capture filters like 'not tcp' or limit to trusted sources

🧯 If You Can't Patch

Restrict Wireshark to analyzing traffic from trusted networks only
Run Wireshark in isolated environments with limited network exposure

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version via Help -> About Wireshark. If version is between 2.6.0-2.6.20, 3.0.0-3.0.13, or 3.2.0-3.2.6, you are vulnerable.

Check Version:

wireshark --version | grep 'Wireshark'

Verify Fix Applied:

Verify version is 2.6.21+, 3.0.14+, or 3.2.7+. Test by capturing TCP traffic with invalid checksums to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs, segmentation fault errors in system logs

Network Indicators:

TCP packets with 0xFFFF checksum value in network captures

SIEM Query:

source="wireshark.log" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2020-25862

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-354

Published: October 6, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00035.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00038.html Mailing List,Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/commit/7f3fe6164a68b76d9988c4253b24d43f498f1753 Patch,Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/16816 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DQHPKZFQ7W3X34RYN3FWFYCFJD4FXJW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGRYKW4XLR44YDWTAH547ODYYBYPB2D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZUHMK5HYTUUDXA64T2TAMAFMYV674QBW/
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2020-12.html Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00035.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00038.html Mailing List,Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/commit/7f3fe6164a68b76d9988c4253b24d43f498f1753 Patch,Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/16816 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DQHPKZFQ7W3X34RYN3FWFYCFJD4FXJW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IGRYKW4XLR44YDWTAH547ODYYBYPB2D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZUHMK5HYTUUDXA64T2TAMAFMYV674QBW/
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2020-12.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25862, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Wireshark by Wireshark

Wireshark by Wireshark

Wireshark by Wireshark

Zfs Storage Appliance Firmware by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable TCP dissection

Use capture filters

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities