Wireshark 4.6.6 patches CVE-2024-6129, a DoS flaw in NetScaler parsing. Update immediately to prevent analysis tool crashes during incident response.
Introduction
The Wireshark development team has released version 4.6.6, a critical security update addressing a single significant vulnerability (CVE-2024-6129) alongside 11 bug fixes. For Security Operations Centers (SOCs) and Incident Responders, Wireshark is a primary tool for network forensics. A Denial-of-Service (DoS) vulnerability in this tool is not merely an inconvenience; it is a tactical disruption that can blind analysts during active investigations or malicious file analysis. This release addresses a specific flaw in the NetScaler dissector that could allow an attacker to crash the application remotely via a crafted packet capture file.
Defenders must treat this update with high priority. While the vulnerability is a DoS (preventing code execution), the loss of visibility at a critical moment is a viable attacker strategy. If an analyst opens a malicious pcap during an investigation, the crash destroys the runtime state and halts the analysis workflow.
Technical Analysis
- Affected Products: Wireshark (all platforms: Windows, macOS, Linux).
- Affected Versions: Versions prior to 4.6.6 (specifically the 4.6.x branch and older Long-Term Support versions).
- CVE Identifier: CVE-2024-6129.
- CVSS Score: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
- Vulnerability Mechanics: The flaw resides in the NetScaler file parser (dissector). The vulnerability is triggered by a malformed capture file that contains specific data structures causing an infinite loop. When Wireshark attempts to parse this data, it enters a state of excessive resource consumption or hangs indefinitely, resulting in a complete application freeze or crash.
- Exploitation Requirements: User interaction is required (opening a file), but the attack vector (the pcap file) can be delivered via email, downloaded from a compromised server, or encountered in a shared network drive. No active network capture is required; the threat exists in the analysis of static files.
- Exploitation Status: Theoretical/Proof-of-Concept. While there are no confirmed widespread active exploitation campaigns at this time, crafting a poc to trigger the infinite loop is technically trivial for adversarial red teams looking to frustrate blue team analysis.
Detection & Response
Detecting the attempt to exploit this vulnerability requires identifying the application crash or the suspicious parent process chain that spawns Wireshark with a potentially malicious file. Below are detection mechanisms to identify successful DoS events and risky execution patterns.
Sigma Rules
---
title: Wireshark Application Crash - Potential DoS (CVE-2024-6129)
id: 8c8b4d2e-9e1a-4f3b-8c7d-1e2f3a4b5c6d
status: experimental
description: Detects crashes in Wireshark executable which may indicate a DoS attempt via malformed capture files like CVE-2024-6129.
references:
- https://www.wireshark.org/security/wnpa-sec-2024-03.html
author: Security Arsenal
date: 2024/05/26
tags:
- attack.impact
- attack.t1499
logsource:
category: application
product: windows
detection:
selection:
EventID: 1000
FaultingImageName|endswith:
- '\wireshark.exe'
condition: selection
falsepositives:
- Legitimate application instability due to corrupt non-malicious pcaps
level: high
---
title: Wireshark Launched by Scripting Utility - Suspicious Execution
id: 2a1b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects Wireshark being launched by a non-shell parent process (e.g., python, wscript), potentially indicating automated pcap parsing or script-based delivery.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2024/05/26
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\wireshark.exe'
ParentImage|endswith:
- '\python.exe'
- '\python3.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\cmd.exe'
filter:
# Filter out common user launches from explorer or cmd
ParentImage|contains:
- '\\Users\\'
condition: selection and not filter
falsepositives:
- Analysts automating workflows with scripts
level: medium
KQL (Microsoft Sentinel)
// Hunt for Wireshark crashes in the last 24 hours
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessCrash" or ActionType == "ApplicationHang"
| where FolderPath endswith @"\wireshark.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, AdditionalFields
| extend CrashDetails = parse_(AdditionalFields)
| order by Timestamp desc
// Hunt for Wireshark launched by suspicious automation tools
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "wireshark.exe"
| where InitiatingProcessFileName in ("python.exe", "wscript.exe", "powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Wireshark process crashes and check versions
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'wireshark'
-- Check installed Wireshark version on Linux/Unix endpoints
SELECT Fqdn, OS, FullPath, Version
FROM glob(globs='/*/*/wireshark')
SELECT * FROM execve(argv=["wireshark", "--version"])
Remediation Script
# PowerShell Script to Check and Update Wireshark Version (CVE-2024-6129)
# Requires Administrator Privileges
Write-Host "Checking Wireshark Version for CVE-2024-6129 Vulnerability..." -ForegroundColor Cyan
# Define common installation paths for Wireshark
$paths = @(
"C:\Program Files\Wireshark\Wireshark.exe",
"C:\Program Files (x86)\Wireshark\Wireshark.exe",
"${env:ProgramFiles}\Wireshark\Wireshark.exe",
"${env:ProgramFiles(x86)}\Wireshark\Wireshark.exe"
)
$vulnerableFound = $false
foreach ($path in $paths) {
if (Test-Path $path) {
$fileInfo = Get-Item $path
$versionInfo = $fileInfo.VersionInfo.FileVersion
Write-Host "Found Wireshark at: $path" -ForegroundColor Yellow
Write-Host "Current Version: $versionInfo" -ForegroundColor White
# Parse version to compare against 4.6.6.0
# Note: Simple string comparison works for standard Wireshark versioning format X.Y.Z.Z
if ([version]$versionInfo -lt [version]"4.6.6.0") {
Write-Host "[ALERT] Vulnerable version detected! Update to 4.6.6 or higher immediately." -ForegroundColor Red
$vulnerableFound = $true
} else {
Write-Host "[OK] Version is patched." -ForegroundColor Green
}
}
}
if (-not $vulnerableFound -and $paths | Where-Object { Test-Path $_ }) {
Write-Host "No vulnerable instances found on this machine." -ForegroundColor Green
} elseif (-not ($paths | Where-Object { Test-Path $_ })) {
Write-Host "Wireshark not found in standard paths." -ForegroundColor Gray
}
# Bash equivalent for Linux analysts can be run via: wireshark --version | head -n 1
Remediation
- Update Immediately: All users and administrators must upgrade to Wireshark 4.6.6.
- Vendor Advisory: Refer to the official Wireshark security advisory wnpa-sec-2024-03.
- Workarounds: If immediate patching is impossible, analysts should exercise extreme caution when opening capture files from untrusted sources, specifically those suspected to be related to NetScaler/Citrix traffic. Disabling the NetScaler dissector (Edit -> Preferences -> Protocols -> NetScaler) is a temporary mitigation if the protocol is not required for current analysis.
- Supply Chain Check: Ensure that any automated pcap ingestion tools or SOAR playbooks that utilize Wireshark/Tshark are updated to prevent pipeline failures.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.