Wireshark 1.6.1 Malformed IKE Packet DoS


New vulnerability have been discovered in Wireshark 1.6.1 that affects IKEv1 protocol function proto_tree_add_item() this bug allow to conduct a denial of service attack.

This is not the first vulnerability that has been discovered lately in wireshark as in the 18th of April Paul Makowski working for SEI/CERT discovered vulnerability allows a remote user that can send specially crafted data to trigger a buffer overflow in the DECT dissector and execute arbitrary code on the target system [CVE-2011-1591]. The code will run with the privileges of the target service.

Wireshark is one of the best network analyzer that operates as tcpdump with a graphical interface. The tool has a reach dashboard that displays all detected packets on the network with the possibility of filtering gathered information.

Currently there are no workaround but you can expact a patch for this issue soon.

Update: on Twitter @StigBjorlykke Wireshark Core Developer wrote on his twitter account that the vulnerability is just fixed.

  • Stig

    A workaround is to disable the “isakmp” dissector from Analyze -> Enabled Protocols…

  • Thanks for
    the solution but does this effect on wireshark functionalities?

  • Stig

    It disables dissecting of isakmp packages, but nothing else.

  • Vuln

    When use wareshark 1.6.1 to capture the malformated isakmp package (Next Payload = DELETE (12), Exchange Type = Information (5) with no actual payload data) and then click that package , that will cause a denail of service.