CVE-2024-2955 Overview
A denial of service vulnerability exists in the T.38 dissector component of Wireshark, affecting versions 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13. This vulnerability allows attackers to crash Wireshark through packet injection or by processing a specially crafted capture file. The flaw is related to improper memory handling (CWE-762: Mismatched Memory Management Routines and CWE-763: Release of Invalid Pointer or Reference), which can be triggered when parsing malformed T.38 protocol data.
Critical Impact
Attackers can remotely crash Wireshark instances by injecting malicious packets or tricking users into opening crafted capture files, disrupting network analysis operations and potentially affecting security monitoring capabilities.
Affected Products
- Wireshark versions 4.2.0 to 4.0.3
- Wireshark versions 4.0.0 to 4.0.13
- Fedora 39 and Fedora 40 (packages including affected Wireshark versions)
Discovery Timeline
- 2024-03-26 - CVE-2024-2955 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-2955
Vulnerability Analysis
The vulnerability resides in Wireshark's T.38 protocol dissector, which is responsible for parsing T.38 fax-over-IP traffic. The underlying issue stems from mismatched memory management routines (CWE-762) and the release of an invalid pointer or reference (CWE-763). When processing malformed T.38 packets, the dissector fails to properly handle memory operations, leading to a crash condition.
The T.38 dissector is automatically invoked when Wireshark encounters T.38 protocol data, making this vulnerability exploitable through passive capture of malicious network traffic or by opening a crafted PCAP file. Since the attack vector is network-based and requires no user interaction beyond normal Wireshark usage, this vulnerability presents a significant risk to network analysts and security professionals who rely on Wireshark for traffic analysis.
Root Cause
The root cause of this vulnerability is improper memory management within the T.38 dissector code. Specifically, the vulnerability involves mismatched memory management routines where memory allocated by one function may be freed by an incompatible routine, or an invalid pointer reference is released. This type of memory corruption typically occurs when there is a mismatch between memory allocation and deallocation methods, or when a pointer is freed multiple times or after becoming invalid.
Attack Vector
The attack can be executed through two primary vectors:
Packet Injection: An attacker on the same network segment can inject malformed T.38 packets that are captured by a running Wireshark instance. When Wireshark attempts to dissect these packets, the T.38 dissector crashes.
Crafted Capture File: An attacker can create a malicious PCAP or PCAPNG file containing crafted T.38 protocol data. When a victim opens this file in Wireshark, the application crashes during the parsing process.
Both attack methods require no authentication and can be executed remotely. The vulnerability enables complete denial of service of the Wireshark application, disrupting ongoing network analysis sessions and potentially causing loss of unsaved capture data.
Detection Methods for CVE-2024-2955
Indicators of Compromise
- Unexpected Wireshark application crashes during network capture or file analysis
- Crash reports indicating faults within the T.38 dissector module
- Presence of suspicious PCAP files containing malformed T.38 protocol data
- Network captures showing unusual T.38 packet structures or malformed headers
Detection Strategies
- Monitor for repeated Wireshark process crashes using system logging and process monitoring tools
- Implement file integrity monitoring for capture files received from external sources
- Deploy network intrusion detection signatures to identify malformed T.38 packets
- Review system crash logs for memory-related errors associated with Wireshark processes
Monitoring Recommendations
- Enable core dump generation for Wireshark to facilitate post-crash analysis
- Implement centralized logging for workstations running Wireshark to detect crash patterns
- Consider sandboxing Wireshark when analyzing untrusted capture files
- Monitor for attempts to send or upload suspicious PCAP files to analysis workstations
How to Mitigate CVE-2024-2955
Immediate Actions Required
- Update Wireshark to the latest patched version immediately
- Avoid opening capture files from untrusted or unknown sources
- Disable the T.38 dissector if T.38 protocol analysis is not required: Edit > Preferences > Protocols > T38
- Consider using TShark with filtering to exclude T.38 traffic when processing untrusted captures
Patch Information
Wireshark has released security patches addressing this vulnerability. Users should upgrade to versions beyond the affected range (4.0.0 to 4.0.13 and 4.2.0 to 4.0.3). Detailed patch information is available in the Wireshark Security Advisory. Additionally, Fedora users should update via their distribution's package manager to receive patched versions as announced in the Fedora Package Announcements.
Workarounds
- Disable the T.38 protocol dissector in Wireshark preferences if T.38 analysis is not needed
- Use capture filters to exclude T.38 traffic when capturing from untrusted networks
- Pre-validate capture files using automated scanning before opening in Wireshark
- Run Wireshark in a sandboxed environment or virtual machine when analyzing untrusted files
# Disable T.38 dissector via command line
tshark -o "t38.dissect_possible_t38_heuristic:FALSE" -r capture.pcap
# Filter out T.38 traffic during capture
tshark -f "not port 6004" -w filtered_capture.pcap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
