CVE-2021-39929 – This vulnerability allows denial of service att... (How to Fix)

Q: What is the severity of CVE-2021-39929?

CVE-2021-39929 has a CVSS score of 7.5 (HIGH). This vulnerability allows denial of service attacks against Wireshark through uncontrolled recursion in the Bluetooth DHT dissector. Attackers can crash Wireshark by injecting malicious packets or providing crafted capture files. Users running affected Wireshark versions 3.4.0-3.4.9 or 3.2.0-3.2.17 are vulnerable.

📋 TL;DR

This vulnerability allows denial of service attacks against Wireshark through uncontrolled recursion in the Bluetooth DHT dissector. Attackers can crash Wireshark by injecting malicious packets or providing crafted capture files. Users running affected Wireshark versions 3.4.0-3.4.9 or 3.2.0-3.2.17 are vulnerable.

💻 Affected Systems

Products:

Wireshark

Versions: 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the Bluetooth DHT dissector; any configuration using this dissector is vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes repeatedly, preventing network analysis and potentially causing data loss if analyzing critical captures during an incident.

🟠

Likely Case

Wireshark crashes when processing malicious Bluetooth traffic or specially crafted capture files, disrupting network analysis workflows.

🟢

If Mitigated

With proper network segmentation and updated software, impact is limited to isolated analysis systems with minimal operational disruption.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool used internally.

🏢 Internal Only: MEDIUM - Attackers on the local network could inject malicious Bluetooth packets to crash Wireshark instances, disrupting network analysis activities.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious Bluetooth packets to the network or providing crafted capture files; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.4.10 and 3.2.18

Vendor Advisory: https://gitlab.com/wireshark/wireshark/-/issues/17651

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org 2. Install over existing version 3. Restart system or at least Wireshark processes

🔧 Temporary Workarounds

Disable Bluetooth DHT dissector

all

Prevent Wireshark from using the vulnerable dissector

wireshark -o bluetooth.dht.enable_dissector:FALSE

Network segmentation

all

Isolate Wireshark systems from untrusted networks

🧯 If You Can't Patch

Restrict Wireshark usage to trusted networks only
Monitor for abnormal Wireshark crashes and investigate source

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: if between 3.4.0-3.4.9 or 3.2.0-3.2.17, you are vulnerable

Check Version:

wireshark -v | head -1

Verify Fix Applied:

Verify Wireshark version is 3.4.10+ or 3.2.18+

📡 Detection & Monitoring

Log Indicators:

Multiple Wireshark crashes in system logs
Segmentation fault errors from Wireshark processes

Network Indicators:

Unusual Bluetooth packet patterns targeting analysis systems
Malformed Bluetooth DHT packets

SIEM Query:

source="system_logs" AND process="wireshark" AND (event="segmentation fault" OR event="crash")

📊 Metadata

CVE ID: CVE-2021-39929

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39929.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17651 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-07.html Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39929.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17651 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.debian.org/security/2021/dsa-5019 Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-07.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39929, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Wireshark by Wireshark

Wireshark by Wireshark

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Bluetooth DHT dissector

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities