Security Bypass Vulnerability Found Affecting Several WireShark Versions from 0.10 to 2.6.2

A bypass security vulnerability is discovered in the Wireshark network protocol analyzer. The vulnerability, labeled CVE-2018-14438, affects the free open source packet analyzer in all versions up till 2.6.2. The risk is posed by the fact that the access control list which manages users and their rights is for a mutex named “Wireshark-is-running-{9CA78EEA-EA4D-4490-9240-FC01FCEF464B}.” This mutex function is kept running for Wireshark and interlinked processes continuously so that the NSIS installer is able to inform the user that Wireshark is operational.

This mutex function in wsutil/file_util.c calls SetSecurityDescriptorDacl is able to set a null descriptor in the DACL. The ability to create null ACLs in this way could be exploited by any remote attacker who could potentially set null for all users including the administrator which would limit everyone’s control whilst granting the hacker access to restrict rights, abuse own rights, and execute arbitrary code.

This vulnerability is categorized as a fault in the common utilities (libwsutil) component of the packet analyzer, particularly a fault in the improper SetSecurityDescriptorDacl function. It has been ranked as a relatively low risk vulnerability at this stage. The immediate response is to ensure that non-null descriptors can only be set but the security implications of this are unknown. An update or patch has not been released to fix this vulnerability as of yet.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.