ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online

wnpa-sec-2006-02 · Multiple problems in Wireshark (Ethereal)


Name: Multiple problems in Wireshark (Ethereal)

Docid: wnpa-sec-2006-02

Date: August 23, 2006

Affected versions: 0.7.9 up to and including 0.99.2

Fixed versions: 0.99.3



Wireshark 0.99.3 fixes the following vulnerabilities:

  • The SCSI dissector could crash. Versions affected: 0.99.2. CVE: CVE-2006-4330
  • If Wireshark was compiled with ESP decryption support, the IPsec ESP preference parser was susceptible to off-by-one errors. Versions affected: 0.99.2. CVE: CVE-2006-4331
  • The DHCP dissector (and possibly others) in the Windows version of Wireshark could trigger a bug in Glib and crash. Versions affected: 0.10.13 - 0.99.2. CVE: CVE-2006-4332
  • If the SSCOP dissector has a port range configured and the SSCOP payload protocol is Q.2931, a malformed packet could make the Q.2931 dissector use up available memory. No port range is configured by default. Versions affected: 0.7.9 - 0.99.2. CVE: CVE-2006-4333


It may be possible to make Wireshark or Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.


Upgrade to Wireshark 0.99.3.

If are running Wireshark 0.99.2 or Ethereal 0.99.0 or earlier and cannot upgrade, you can work around each of the problems listed above by doing the following:

  • Disable the SCSI and Q.2931 dissectors. If you're running Wireshark under Windows, disable the DHCP dissector.
    • Select Analyze→Enabled Protocols... from the menu.
    • Make sure "SCSI", "Q.2931", and "BOOTP/DHCP" (if needed) are un-checked.
    • Click "Save", then click "OK".
  • If your copy of Wireshark has ESP decryption compiled in, make sure it's disabled.
    • Select Edit→Preferences, then Protocols→ESP from the menu.
    • Make sure "Attempt to detect/decode encrypted ESP payloads" is un-checked.