Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. Upstream Reference: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22191.json https://gitlab.com/wireshark/wireshark/-/issues/17232
Created wireshark tracking bugs for this issue: Affects: fedora-all [bug 1941479]
Flaw summary: In Wireshark's graphical user interface, clicking URIs in pcapng files and wire captures causes them to be "opened" by the default program. In the case of HTTP and HTTPS schemes, this normally occurs in the default web browser. However, other schemes such as file, ftp, dav, nfs, etc... can perform undesired actions such as running a .desktop file or mounting an NFS volume, depending on system configuration. This, along with social engineering, could be used by an attacker to trick the user into mounting an undesired volume or in the worst case, code execution. The attack requires the victim user to click/open a malicious URI, and system configuration to execute that file, in order to be exploited. The patch modifies ProtoTree::itemDoubleClicked() to only allow http & https. The root cause is arbitrary schemes being passed to QDesktopServices::openUrl().
External References: https://www.wireshark.org/security/wnpa-sec-2021-03
Mitigation: This flaw can be entirely mitigated by ensuring that Wireshark users do not click arbitrary links found in wire captures and from pcapng files. The exploitation of this flaw requires the user to click links found in the Wireshark UI.
Statement: Versions of Wireshark shipped with Red Hat Enterprise Linux 6, 7, and 8 are not affected by this flaw.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22191