CVE-2021-39921 – A NULL pointer dereference vulnerability in Wir... (How to Fix)

Q: What is the severity of CVE-2021-39921?

CVE-2021-39921 has a CVSS score of 7.5 (HIGH). A NULL pointer dereference vulnerability in Wireshark's Modbus dissector allows attackers to cause denial of service via specially crafted Modbus packets or capture files. This affects Wireshark users analyzing Modbus traffic or opening malicious capture files. The vulnerability can crash Wireshark but does not allow arbitrary code execution.

📋 TL;DR

A NULL pointer dereference vulnerability in Wireshark's Modbus dissector allows attackers to cause denial of service via specially crafted Modbus packets or capture files. This affects Wireshark users analyzing Modbus traffic or opening malicious capture files. The vulnerability can crash Wireshark but does not allow arbitrary code execution.

💻 Affected Systems

Products:

Wireshark

Versions: 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where Wireshark is used to analyze Modbus traffic or open capture files containing Modbus data.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes when processing malicious Modbus traffic, disrupting network analysis and monitoring operations. In continuous monitoring scenarios, this could cause extended service disruption.

🟠

Likely Case

Wireshark crashes when opening a malicious capture file or analyzing network traffic containing crafted Modbus packets, requiring restart of the application.

🟢

If Mitigated

With proper network segmentation and access controls, only authorized users can inject packets, reducing attack surface. Updated Wireshark versions are immune.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool used internally.

🏢 Internal Only: MEDIUM - Internal attackers with network access could inject malicious packets to crash Wireshark instances on the same network segment.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to inject packets or ability to provide malicious capture files. The vulnerability details and proof-of-concept are publicly available in the GitLab issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.4.10 and 3.2.18

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2021-14.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org. 2. Uninstall current version. 3. Install updated version. 4. Restart system or at least restart Wireshark.

🔧 Temporary Workarounds

Disable Modbus dissector

all

Temporarily disable the vulnerable Modbus protocol dissector in Wireshark

Edit -> Preferences -> Protocols -> Modbus -> Uncheck 'Enable Modbus protocol'

Network segmentation

all

Isolate Modbus traffic to trusted networks only

🧯 If You Can't Patch

Restrict Wireshark usage to trusted personnel only
Avoid analyzing untrusted capture files or Modbus network traffic

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help -> About Wireshark. If version is between 3.4.0-3.4.9 or 3.2.0-3.2.17, system is vulnerable.

Check Version:

wireshark --version

Verify Fix Applied:

Verify Wireshark version is 3.4.10+ or 3.2.18+. Test by analyzing known malicious Modbus capture files - application should not crash.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error logs showing NULL pointer exceptions

Network Indicators:

Unusual Modbus traffic patterns
Malformed Modbus packets

SIEM Query:

source="wireshark.log" AND ("crash" OR "segmentation fault" OR "null pointer")

📊 Metadata

CVE ID: CVE-2021-39921

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39921.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17703 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-14.html Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39921.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17703 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-14.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39921, you might also want to check these: