Bug 1941478 (CVE-2021-22191)

Summary: CVE-2021-22191 wireshark: improper URL handling may lead to remote code execution
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alekcejk, denis, huzaifas, lemenkov, mruprich, msehnout, peter, rvokal, sergey.avseyev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wireshark 3.4.4, wireshark 3.2.12 Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in Wireshark. An attacker who sends malicious links with schemes other than http/https over the wire or via a pcapng file, and who is able to get a victim user of Wireshark's user interface to click these links, could perform actions such as mounting volumes, or in some cases launching undesired programs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-01 05:35:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1941479    
Bug Blocks: 1941480    

Description Marian Rehak 2021-03-22 09:06:38 UTC 
Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file.

Upstream Reference:

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22191.json
https://gitlab.com/wireshark/wireshark/-/issues/17232
Comment 1 Marian Rehak 2021-03-22 09:07:17 UTC 
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1941479]
Comment 2 Todd Cullum 2021-03-24 21:08:15 UTC 
Flaw summary:

In Wireshark's graphical user interface, clicking URIs in pcapng files and wire captures causes them to be "opened" by the default program. In the case of HTTP and HTTPS schemes, this normally occurs in the default web browser. However, other schemes such as file, ftp, dav, nfs, etc... can perform undesired actions such as running a .desktop file or mounting an NFS volume, depending on system configuration. This, along with social engineering, could be used by an attacker to trick the user into mounting an undesired volume or in the worst case, code execution. The attack requires the victim user to click/open a malicious URI, and system configuration to execute that file, in order to be exploited. The patch modifies ProtoTree::itemDoubleClicked() to only allow http & https. The root cause is arbitrary schemes being passed to QDesktopServices::openUrl().
Comment 3 Todd Cullum 2021-03-24 21:08:30 UTC 
External References:

https://www.wireshark.org/security/wnpa-sec-2021-03
Comment 4 Todd Cullum 2021-03-24 21:42:13 UTC 
Mitigation:

This flaw can be entirely mitigated by ensuring that Wireshark users do not click arbitrary links found in wire captures and from pcapng files. The exploitation of this flaw requires the user to click links found in the Wireshark UI.
Comment 5 Todd Cullum 2021-03-31 23:57:05 UTC 
Statement:

Versions of Wireshark shipped with Red Hat Enterprise Linux 6, 7, and 8 are not affected by this flaw.
Comment 6 Product Security DevOps Team 2021-04-01 05:35:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22191