CVE-2021-39925 – A buffer overflow vulnerability in Wireshark's ... (How to Fix)

Q: What is the severity of CVE-2021-39925?

CVE-2021-39925 has a CVSS score of 7.5 (HIGH). A buffer overflow vulnerability in Wireshark's Bluetooth SDP dissector allows attackers to cause denial of service via packet injection or specially crafted capture files. This affects Wireshark users analyzing Bluetooth traffic or opening malicious capture files. The vulnerability can crash Wireshark but does not allow remote code execution.

📋 TL;DR

A buffer overflow vulnerability in Wireshark's Bluetooth SDP dissector allows attackers to cause denial of service via packet injection or specially crafted capture files. This affects Wireshark users analyzing Bluetooth traffic or opening malicious capture files. The vulnerability can crash Wireshark but does not allow remote code execution.

💻 Affected Systems

Products:

Wireshark

Versions: 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default installations when Bluetooth SDP dissection is enabled (default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes when processing malicious Bluetooth SDP packets or capture files, potentially disrupting network analysis activities and causing data loss in unsaved captures.

🟠

Likely Case

Denial of service through Wireshark crashes when analyzing malicious Bluetooth traffic or opening crafted capture files.

🟢

If Mitigated

Minimal impact if Wireshark is not used for Bluetooth traffic analysis or untrusted capture files are avoided.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; exploitation requires local access or network position to inject packets.

🏢 Internal Only: MEDIUM - Internal attackers with network access could inject packets to crash Wireshark instances analyzing Bluetooth traffic.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires packet injection capability on the network or user opening malicious capture file. Proof of concept available in GitLab issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.4.10 and 3.2.18

Vendor Advisory: https://gitlab.com/wireshark/wireshark/-/issues/17635

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org. 2. Install over existing version. 3. Restart system or at least Wireshark processes.

🔧 Temporary Workarounds

Disable Bluetooth SDP dissection

all

Prevents processing of vulnerable protocol by disabling the dissector

Edit -> Preferences -> Protocols -> Bluetooth -> SDP -> Uncheck 'Enable SDP dissection'

Use packet capture filters

all

Filter out Bluetooth traffic before it reaches Wireshark

Use capture filter: not (btsdp)

🧯 If You Can't Patch

Avoid analyzing Bluetooth network traffic with vulnerable Wireshark versions
Do not open untrusted .pcap or .pcapng files from unknown sources

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version in Help -> About Wireshark. If version is between 3.4.0-3.4.9 or 3.2.0-3.2.17, you are vulnerable.

Check Version:

wireshark --version | head -1

Verify Fix Applied:

Verify Wireshark version is 3.4.10+ or 3.2.18+ in Help -> About Wireshark.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs, abnormal termination of wireshark/tshark processes

Network Indicators:

Unusual Bluetooth SDP traffic patterns, packet injection attempts on Bluetooth channels

SIEM Query:

Process:Name="wireshark.exe" OR Process:Name="tshark.exe" AND EventID=1000 (Application Crash)

📊 Metadata

CVE ID: CVE-2021-39925

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39925.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17635 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-09.html Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39925.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17635 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-09.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39925, you might also want to check these: