CVE-2020-13164

In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the NFS dissector could crash. This was addressed in epan/dissectors/packet-nfs.c by preventing excessive recursion, such as for a cycle in the directory graph on a filesystem.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

Name	Vendor	Start Version	End Version
Wireshark	Wireshark	2.6.0 (including)	2.6.16 (including)
Wireshark	Wireshark	3.0.0 (including)	3.0.10 (including)
Wireshark	Wireshark	3.2.0 (including)	3.2.3 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/230.html
https://cwe.mitre.org/data/definitions/231.html

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00038.html
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16476
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a
https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5UOISPQTRCZGQLKBVXEDL72AEXEHS425/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DNV3EYL4JBWCR22TJO3PH7ADUVS5RWSU/
https://security.gentoo.org/glsa/202007-13
https://www.wireshark.org/security/wnpa-sec-2020-08.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-13164
CWE	https://cwe.mitre.org/data/definitions/674.html

Uncontrolled Recursion

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References