CVE-2021-4190
📋 TL;DR
This vulnerability in Wireshark's Kafka dissector allows attackers to cause a denial of service by triggering an infinite loop when processing specially crafted Kafka protocol packets. This affects anyone using Wireshark 3.6.0 to analyze network traffic containing Kafka protocol data. The vulnerability can be exploited through malicious packet injection or by opening a crafted capture file.
💻 Affected Systems
- Wireshark
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Wireshark by Wireshark
Wireshark by Wireshark
⚠️ Risk & Real-World Impact
Worst Case
Complete Wireshark application crash or hang, potentially disrupting network analysis operations and causing data loss of unsaved capture sessions.
Likely Case
Wireshark becomes unresponsive when processing malicious Kafka traffic, requiring manual termination and restart, disrupting ongoing network analysis work.
If Mitigated
With proper network segmentation and Wireshark updates, impact is limited to isolated analysis systems with minimal operational disruption.
🎯 Exploit Status
Proof of concept available in the GitLab issue; exploitation requires ability to inject packets into monitored network or provide malicious capture file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Wireshark 3.6.1 and later
Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2021-02.html
Restart Required: Yes
Instructions:
1. Download latest Wireshark version from wireshark.org. 2. Uninstall current version. 3. Install updated version. 4. Restart system or at least Wireshark application.
🔧 Temporary Workarounds
Disable Kafka dissector
allPrevent Wireshark from parsing Kafka protocol packets by disabling the dissector
Edit -> Preferences -> Protocols -> Kafka -> Uncheck 'Enable Kafka protocol'
Use capture filters
allFilter out Kafka traffic at capture time to prevent dissector from processing it
Capture -> Options -> Capture Filter: not port 9092
🧯 If You Can't Patch
- Isolate Wireshark systems from untrusted networks and users
- Only analyze capture files from trusted sources; avoid opening unknown capture files
🔍 How to Verify
Check if Vulnerable:
Check Wireshark version: Help -> About Wireshark. If version is exactly 3.6.0, you are vulnerable.Check Version:
wireshark --version (Linux) or check About dialog (Windows)Verify Fix Applied:
After updating, verify version is 3.6.1 or higher in Help -> About Wireshark.📡 Detection & Monitoring
Log Indicators:
- Wireshark crash logs, application hang events in system logs
Network Indicators:
- Unusual Kafka protocol packets with malformed structure targeting Wireshark systems
SIEM Query:
EventID=1000 OR EventID=1001 AND ProcessName="wireshark.exe" AND Version="3.6.0"🔗 References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4190.json
- https://gitlab.com/wireshark/wireshark/-/issues/17811
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ/
- https://security.gentoo.org/glsa/202210-04
- https://www.wireshark.org/security/wnpa-sec-2021-22.html
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4190.json
- https://gitlab.com/wireshark/wireshark/-/issues/17811
- https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ/
- https://security.gentoo.org/glsa/202210-04
- https://www.wireshark.org/security/wnpa-sec-2021-22.html
