CVE-2023-1993 — Excessive Iteration in Wireshark

CWE-834 — Excessive Iteration CWE-400 — Uncontrolled Resource Consumption CWE-328 — Use of Weak Hash CWE-916 — Use of Password Hash With Insufficient Computational Effort CWE-327 — Use of a Broken or Risky Cryptographic Algorithm9 documents7 sources

Severity

6.5MEDIUMNVD

CNA6.3

EPSS

0.3%

top 50.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark Wireshark Foundation Wireshark Debian Linux +1 more

Timeline

PublishedApr 12

Latest updateOct 25

Description

LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDwireshark/wireshark3.6.0 — 3.6.13+1

▶Debianwireshark/wireshark< 3.4.16-0+deb11u1+3

▶CVEListV5wireshark_foundation/wireshark>=3.6.0, <3.6.13, >=4.0.0, <4.0.5+1

Also affects: Debian Linux 10.0, 12.0, Fedora 36, 37, 38

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard↗2023-10-25

▶

GHSA

crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard↗2023-10-25

▶

CVEList

CVE-2023-1993: LISP dissector large loop in Wireshark 4↗2023-04-12

▶

OSV

CVE-2023-1993: LISP dissector large loop in Wireshark 4↗2023-04-12

▶

GHSA

GHSA-h4rg-h5cx-4r4w: LISP dissector large loop in Wireshark 4↗2023-04-12

▶

📋Vendor Advisories

Red Hat

crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard↗2023-10-25

▶

Red Hat

wireshark: LISP dissector large loop↗2023-04-12

▶

Debian

CVE-2023-1993: wireshark - LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows...↗2023

▶