CVE-2021-39923 – A denial-of-service vulnerability in Wireshark'... (How to Fix)

Q: What is the severity of CVE-2021-39923?

CVE-2021-39923 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability in Wireshark's PNRP dissector allows attackers to crash the application by processing specially crafted network packets or capture files. This affects Wireshark users analyzing malicious traffic or opening malicious capture files. The vulnerability can be triggered remotely via packet injection on monitored networks.

📋 TL;DR

A denial-of-service vulnerability in Wireshark's PNRP dissector allows attackers to crash the application by processing specially crafted network packets or capture files. This affects Wireshark users analyzing malicious traffic or opening malicious capture files. The vulnerability can be triggered remotely via packet injection on monitored networks.

💻 Affected Systems

Products:

Wireshark

Versions: 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: All Wireshark installations with PNRP protocol support enabled (default) are vulnerable when processing PNRP traffic.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes repeatedly when processing malicious traffic, preventing network analysis and monitoring capabilities. In continuous monitoring scenarios, this could disrupt security operations.

🟠

Likely Case

Temporary disruption of Wireshark sessions when analyzing malicious traffic or opening crafted capture files, requiring application restart.

🟢

If Mitigated

Minimal impact if Wireshark is not used for monitoring untrusted networks or analyzing unknown capture files.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing, but could be affected if monitoring internet traffic.

🏢 Internal Only: MEDIUM - Internal attackers could disrupt network monitoring by injecting malicious packets on monitored segments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious PNRP packets to monitored network segments or providing crafted capture files. Packet injection requires network access to monitored segments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.4.10 and 3.2.18

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2021-11.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org. 2. Install over existing version. 3. Restart Wireshark and any related services.

🔧 Temporary Workarounds

Disable PNRP dissector

all

Prevent Wireshark from processing PNRP packets by disabling the dissector

Edit preferences -> Protocols -> PNRP -> Uncheck 'Enable PNRP protocol'

Use capture filters

all

Filter out PNRP traffic at capture time

Use capture filter: not port 3540

🧯 If You Can't Patch

Restrict Wireshark use to trusted networks only
Avoid opening capture files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help -> About Wireshark. If version is between 3.4.0-3.4.9 or 3.2.0-3.2.17, system is vulnerable.

Check Version:

wireshark --version (Linux) or check Help -> About (GUI)

Verify Fix Applied:

Verify version is 3.4.10+, 3.2.18+, or 3.6.0+. Test with known malicious PNRP capture files if available.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application error events mentioning PNRP

Network Indicators:

Unusual PNRP traffic patterns
High volume of PNRP packets to monitored segments

SIEM Query:

source="wireshark.log" AND ("crash" OR "segmentation fault" OR "PNRP")

📊 Metadata

CVE ID: CVE-2021-39923

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-834

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39923.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17684 Issue Tracking,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-11.html Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39923.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17684 Issue Tracking,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-11.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39923, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Wireshark by Wireshark

Wireshark by Wireshark

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PNRP dissector

Use capture filters

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities