1919923 – (CVE-2020-26421) CVE-2020-26421 wireshark: USB HID dissector crash (wnpa-sec-2020-17)

Bug 1919923 (CVE-2020-26421) - CVE-2020-26421 wireshark: USB HID dissector crash (wnpa-sec-2020-17)

Summary: CVE-2020-26421 wireshark: USB HID dissector crash (wnpa-sec-2020-17)

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-26421
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1919926 1923659
Blocks:	1919925
TreeView+	depends on / blocked

Reported:	2021-01-25 12:01 UTC by Dhananjay Arunesh
Modified:	2021-09-28 17:05 UTC (History)
CC List:	9 users (show)
Fixed In Version:	wireshark 3.2.9, wireshark 3.4.1
Doc Type:	If docs needed, set a value
Doc Text:	A heap buffer overflow was discovered in the USB HID dissector of Wireshark while decoding packets captured in a pcap file or coming from the network. A remote attacker may abuse this flaw by sending specially crafted packets that, when processed, would make Wireshark crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-06-29 20:59:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2021-01-25 12:01:50 UTC

USB HID dissector crash fixed in 3.2.9, 3.4.1

References:
https://www.wireshark.org/security/wnpa-sec-2020-17
https://gitlab.com/wireshark/wireshark/-/issues/16958
https://www.wireshark.org/lists/wireshark-announce/202012/msg00000.html
https://www.wireshark.org/lists/wireshark-announce/202012/msg00001.html

Comment 1 Dhananjay Arunesh 2021-01-25 12:02:50 UTC

Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1919926]

Comment 2 Mauro Matteo Cascella 2021-02-01 16:55:22 UTC

External References:

https://www.wireshark.org/security/wnpa-sec-2020-17

Comment 3 Mauro Matteo Cascella 2021-02-01 16:57:59 UTC

Upstream fix:
https://gitlab.com/wireshark/wireshark/-/commit/d5f2657825e63e4126ebd7d13a59f3c6e8a9e4e1

Comment 6 Mauro Matteo Cascella 2021-02-03 17:50:59 UTC

The USB HID dissector (epan/dissectors/packet-usb-hid.c) ends up calling decode_bits_in_field() (via proto_tree_add_bits_item) with a large data_size. Since decode_bits_in_field() did not check the passed argument, this could lead to a heap based buffer overflow when trying to access the 'str' buffer, allocated in the same function through wmem_alloc0().

Note You need to log in before you can comment on or make changes to this bug.