CVE-2024-9781
📋 TL;DR
A vulnerability in Wireshark's AppleTalk and RELOAD Framing dissectors causes a crash when processing malicious packets or capture files, leading to denial of service. This affects Wireshark users analyzing network traffic containing specially crafted AppleTalk or RELOAD packets. The vulnerability can be triggered remotely via packet injection or locally through malicious capture files.
💻 Affected Systems
- Wireshark
📦 What is this software?
Wireshark by Wireshark
Wireshark by Wireshark
⚠️ Risk & Real-World Impact
Worst Case
Complete Wireshark application crash leading to denial of service for network analysis, potentially disrupting security monitoring or troubleshooting activities.
Likely Case
Wireshark crashes when analyzing malicious network traffic or opening crafted capture files, requiring restart of the application.
If Mitigated
Limited impact if Wireshark is not used for analyzing AppleTalk or RELOAD protocol traffic, or if network traffic is filtered.
🎯 Exploit Status
Exploitation requires either network packet injection capability or convincing a user to open a malicious capture file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Wireshark 4.4.1 and 4.2.8
Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2024-13.html
Restart Required: Yes
Instructions:
1. Download latest Wireshark version from wireshark.org. 2. Uninstall current version. 3. Install patched version (4.4.1 or 4.2.8). 4. Restart system if prompted.
🔧 Temporary Workarounds
Disable vulnerable dissectors
allDisable AppleTalk and RELOAD Framing protocol dissectors in Wireshark preferences
wireshark -G protocols | grep -E '(appletalk|reload)'
Edit preferences to disable these protocols
Filter network traffic
linuxUse network filtering to block AppleTalk and RELOAD protocol traffic from reaching Wireshark
iptables -A INPUT -p appletalk -j DROP
Configure network switches/firewalls to filter these protocols
🧯 If You Can't Patch
- Restrict Wireshark usage to trusted users only and limit network monitoring to necessary interfaces
- Implement strict controls on capture file handling - only open files from trusted sources
🔍 How to Verify
Check if Vulnerable:
Check Wireshark version: if version is 4.4.0 or between 4.2.0-4.2.7, system is vulnerableCheck Version:
wireshark --version | grep 'Wireshark'Verify Fix Applied:
Verify Wireshark version is 4.4.1 or 4.2.8 or higher📡 Detection & Monitoring
Log Indicators:
- Wireshark crash logs
- Application error events mentioning Wireshark
Network Indicators:
- Unusual AppleTalk or RELOAD protocol traffic patterns
- Malformed packets targeting dissectors
SIEM Query:
source="wireshark.log" AND ("crash" OR "segmentation fault" OR "access violation")