CVE-2020-28030 – This vulnerability in Wireshark's GQUIC protoco... (How to Fix)

Q: What is the severity of CVE-2020-28030?

CVE-2020-28030 has a CVSS score of 7.5 (HIGH). This vulnerability in Wireshark's GQUIC protocol dissector allows attackers to cause a denial-of-service crash by sending specially crafted network packets. It affects Wireshark users analyzing network traffic, particularly security analysts and network administrators. The crash occurs when parsing malformed GQUIC packets due to incorrect offset advancement.

📋 TL;DR

This vulnerability in Wireshark's GQUIC protocol dissector allows attackers to cause a denial-of-service crash by sending specially crafted network packets. It affects Wireshark users analyzing network traffic, particularly security analysts and network administrators. The crash occurs when parsing malformed GQUIC packets due to incorrect offset advancement.

💻 Affected Systems

Products:

Wireshark

Versions: 3.2.0 to 3.2.7

Operating Systems: All platforms running Wireshark

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when analyzing GQUIC protocol traffic; users not analyzing GQUIC traffic are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Wireshark application crash leading to loss of captured network data and disruption of network analysis activities.

🟠

Likely Case

Application crash when analyzing malicious or malformed GQUIC network traffic, requiring restart of Wireshark.

🟢

If Mitigated

No impact if Wireshark is not used to analyze GQUIC traffic or if patched version is installed.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool run locally.

🏢 Internal Only: MEDIUM - Internal users running vulnerable Wireshark versions could experience crashes when analyzing network traffic containing malicious GQUIC packets.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed GQUIC packets that the target analyzes with Wireshark; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.2.8 and later

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2020-15.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org 2. Install over existing version 3. Restart Wireshark and any related services

🔧 Temporary Workarounds

Disable GQUIC dissector

all

Prevent Wireshark from parsing GQUIC traffic by disabling the dissector

Edit -> Preferences -> Protocols -> GQUIC -> Uncheck 'Enable GQUIC protocol'

Use capture filters

all

Filter out GQUIC traffic during capture to avoid processing

Use capture filter: not port 443 or not udp port 443

🧯 If You Can't Patch

Avoid analyzing unknown or untrusted network traffic with vulnerable Wireshark versions
Use network segmentation to limit exposure to potentially malicious GQUIC traffic

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help -> About Wireshark. If version is between 3.2.0 and 3.2.7, you are vulnerable.

Check Version:

wireshark -v | grep 'Wireshark'

Verify Fix Applied:

Verify version is 3.2.8 or higher in Help -> About Wireshark, then test with sample GQUIC traffic.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error events showing Wireshark termination

Network Indicators:

Malformed GQUIC packets on network
Unexpected GQUIC traffic to analysis systems

SIEM Query:

source="wireshark" AND (event_type="crash" OR severity="critical")

📊 Metadata

CVE ID: CVE-2020-28030

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-682

Published: November 2, 2020

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/wireshark/wireshark/-/commit/b287e7165e8aa89cde6ae37e7c257c5d87d16b9b Patch,Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/16887 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHZSVK7PO2LTGFQXFHFXY6SOMSQ7UPRS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2667E6WKVE56G66BVBVD7LJPIDOJ7K3/
https://www.wireshark.org/security/wnpa-sec-2020-15.html Vendor Advisory
https://gitlab.com/wireshark/wireshark/-/commit/b287e7165e8aa89cde6ae37e7c257c5d87d16b9b Patch,Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/16887 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHZSVK7PO2LTGFQXFHFXY6SOMSQ7UPRS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2667E6WKVE56G66BVBVD7LJPIDOJ7K3/
https://www.wireshark.org/security/wnpa-sec-2020-15.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28030, you might also want to check these: