CVE-2024-0210 – This vulnerability in Wireshark's Zigbee TLV di... (How to Fix)

Q: What is the severity of CVE-2024-0210?

CVE-2024-0210 has a CVSS score of 7.8 (HIGH). This vulnerability in Wireshark's Zigbee TLV dissector allows attackers to cause a denial of service (crash) by injecting specially crafted packets or providing a malicious capture file. It affects users running Wireshark 4.2.0 who analyze Zigbee network traffic or open untrusted capture files.

📋 TL;DR

This vulnerability in Wireshark's Zigbee TLV dissector allows attackers to cause a denial of service (crash) by injecting specially crafted packets or providing a malicious capture file. It affects users running Wireshark 4.2.0 who analyze Zigbee network traffic or open untrusted capture files.

💻 Affected Systems

Products:

Wireshark

Versions: 4.2.0 only

Operating Systems: All platforms running Wireshark

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Zigbee TLV dissector; requires processing of Zigbee protocol traffic or opening malicious capture files.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Wireshark application crash, potentially causing data loss of unsaved captures and disrupting network analysis operations.

🟠

Likely Case

Application crash when processing malicious Zigbee packets or capture files, requiring restart and potentially losing unsaved work.

🟢

If Mitigated

No impact if patched or if vulnerable dissector is disabled; limited to Wireshark application only, not affecting underlying system.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; requires local access or network position to inject packets.

🏢 Internal Only: MEDIUM - Internal attackers with network access could inject packets to crash Wireshark instances on the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to inject packets or ability to provide malicious capture file; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.1 and later

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2024-04.html

Restart Required: Yes

Instructions:

1. Download Wireshark 4.2.1 or later from wireshark.org. 2. Install the update, replacing the vulnerable version. 3. Restart Wireshark to ensure the fix is active.

🔧 Temporary Workarounds

Disable Zigbee TLV dissector

all

Prevents the vulnerable dissector from processing packets, eliminating the crash vector.

In Wireshark: Analyze -> Enabled Protocols -> Uncheck 'Zigbee TLV'

🧯 If You Can't Patch

Avoid analyzing untrusted capture files or Zigbee network traffic
Restrict network access to prevent packet injection attacks

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version via Help -> About Wireshark; if version is exactly 4.2.0, you are vulnerable.

Check Version:

wireshark --version | grep 'Wireshark'

Verify Fix Applied:

Verify version is 4.2.1 or later via Help -> About Wireshark.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs, abnormal termination events

Network Indicators:

Unusual Zigbee protocol traffic patterns, malformed TLV packets

SIEM Query:

EventID: 1000 Application Error for wireshark.exe OR Process: wireshark Termination

📊 Metadata

CVE ID: CVE-2024-0210

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-674

Published: January 3, 2024

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/19504 Exploit,Issue Tracking,Vendor Advisory
https://www.wireshark.org/security/wnpa-sec-2024-04.html Issue Tracking,Vendor Advisory
https://gitlab.com/wireshark/wireshark/-/issues/19504 Exploit,Issue Tracking,Vendor Advisory
https://www.wireshark.org/security/wnpa-sec-2024-04.html Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0210, you might also want to check these: