CVE-2021-39920 – A NULL pointer dereference vulnerability in Wir... (How to Fix)

Q: What is the severity of CVE-2021-39920?

CVE-2021-39920 has a CVSS score of 7.5 (HIGH). A NULL pointer dereference vulnerability in Wireshark's IPPUSB dissector allows attackers to cause denial of service via specially crafted network packets or capture files. This affects Wireshark users analyzing network traffic, particularly those processing untrusted data. The vulnerability can crash Wireshark but doesn't allow arbitrary code execution.

📋 TL;DR

A NULL pointer dereference vulnerability in Wireshark's IPPUSB dissector allows attackers to cause denial of service via specially crafted network packets or capture files. This affects Wireshark users analyzing network traffic, particularly those processing untrusted data. The vulnerability can crash Wireshark but doesn't allow arbitrary code execution.

💻 Affected Systems

Products:

Wireshark

Versions: 3.4.0 to 3.4.9

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: All Wireshark installations in affected version range are vulnerable when processing IPPUSB traffic or capture files containing such traffic.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes when processing malicious packets or capture files, disrupting network analysis activities and potentially causing data loss if unsaved work is present.

🟠

Likely Case

Wireshark crashes when analyzing malicious network traffic or opening crafted capture files, requiring restart of the application.

🟢

If Mitigated

No impact if Wireshark is not used or if patched versions are deployed.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool run locally.

🏢 Internal Only: MEDIUM - Internal users could be affected if they analyze malicious traffic or files, but requires user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious packets on a network being monitored or providing a crafted capture file. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.10 and later

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2021-12.html

Restart Required: Yes

Instructions:

1. Download Wireshark 3.4.10 or later from wireshark.org. 2. Install the update following platform-specific instructions. 3. Restart Wireshark after installation.

🔧 Temporary Workarounds

Disable IPPUSB dissector

all

Prevent Wireshark from processing IPPUSB protocol traffic

Edit preferences -> Protocols -> IPPUSB -> Uncheck 'Enable IPPUSB protocol'

Use capture filters

all

Filter out IPPUSB traffic during capture

Use capture filter: not usb

🧯 If You Can't Patch

Avoid analyzing untrusted network traffic or capture files
Run Wireshark in isolated environments or virtual machines

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version via Help -> About Wireshark. If version is between 3.4.0 and 3.4.9 inclusive, you are vulnerable.

Check Version:

wireshark --version

Verify Fix Applied:

Verify Wireshark version is 3.4.10 or later. Test with known malicious IPPUSB capture files to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs, application termination events

Network Indicators:

Malformed IPPUSB packets, unusual USB traffic patterns

SIEM Query:

EventID: 1000 Application Error for wireshark.exe OR Process Name: wireshark AND Termination Reason: Exception

📊 Metadata

CVE ID: CVE-2021-39920

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: November 18, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39920.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17705 Exploit,Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-15.html Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39920.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17705 Exploit,Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-15.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39920, you might also want to check these: