CVE-2024-8250 Overview
CVE-2024-8250 is a denial of service vulnerability affecting the NTLMSSP (NT LAN Manager Security Support Provider) dissector in Wireshark. The vulnerability allows attackers to crash the application through packet injection or by having a user open a specially crafted capture file. This affects Wireshark versions 4.2.0 to 4.0.6 and 4.0.0 to 4.0.16, impacting security analysts and network administrators who rely on Wireshark for network traffic analysis.
Critical Impact
Attackers can cause Wireshark to crash via malicious network packets or capture files, disrupting network analysis operations and potentially masking malicious activity during incident response.
Affected Products
- Wireshark versions 4.2.0 to 4.0.6
- Wireshark versions 4.0.0 to 4.0.16
- Systems running affected Wireshark versions on any supported operating system
Discovery Timeline
- August 29, 2024 - CVE-2024-8250 published to NVD
- November 03, 2025 - Last updated in NVD database
Technical Details for CVE-2024-8250
Vulnerability Analysis
This vulnerability stems from memory safety issues in the NTLMSSP dissector component of Wireshark. The vulnerability is classified under CWE-825 (Expired Pointer Dereference) and CWE-787 (Out-of-Bounds Write), indicating that the dissector improperly handles memory when parsing NTLMSSP protocol data. When processing malformed NTLMSSP authentication messages, the dissector may access memory that has already been freed or write data beyond allocated buffer boundaries, leading to application crash.
The attack requires local access, meaning an attacker must either inject packets on the same network segment being captured or convince a user to open a malicious capture file. While user interaction is required (opening a capture file or capturing traffic), no special privileges are needed to exploit this vulnerability. The impact is limited to availability—confidentiality and integrity are not affected.
Root Cause
The root cause lies in improper memory management within the NTLMSSP dissector. The dissector fails to properly validate and handle certain edge cases in NTLMSSP message structures, resulting in either an expired pointer dereference (CWE-825) where the code accesses memory through a pointer that is no longer valid, or an out-of-bounds write (CWE-787) where data is written beyond the boundaries of allocated memory. Both conditions can lead to memory corruption and subsequent application crash.
Attack Vector
The attack vector is local, requiring the attacker to either be on the same network segment to inject malicious packets during a live capture, or to deliver a crafted capture file (.pcap or .pcapng) to the victim. Attack scenarios include:
Network-based injection: An attacker on the same network broadcasts or sends specially crafted NTLMSSP authentication packets that trigger the vulnerability when Wireshark captures and dissects them.
File-based attack: An attacker distributes a malicious capture file via email, file share, or other means. When a security analyst opens the file in Wireshark for analysis, the application crashes.
The vulnerability requires user interaction—either actively capturing network traffic or opening a capture file. This limits the exploitability compared to fully remote attacks but remains a significant concern for security professionals who routinely analyze untrusted capture files.
Detection Methods for CVE-2024-8250
Indicators of Compromise
- Unexpected Wireshark crashes when capturing network traffic containing NTLMSSP authentication
- Application crashes when opening specific .pcap or .pcapng files
- Crash dumps or error logs referencing the NTLMSSP dissector or related memory access violations
- Repeated Wireshark crashes during incident response or forensic analysis activities
Detection Strategies
- Monitor for Wireshark process crashes with memory access violation errors in system logs
- Implement application crash monitoring and alerting for Wireshark processes in security operations environments
- Use endpoint detection solutions to identify anomalous application terminations
- Review Windows Event Logs or Linux syslog for application faults related to Wireshark
Monitoring Recommendations
- Deploy endpoint monitoring to track Wireshark application stability across analyst workstations
- Implement file integrity monitoring for capture files stored in shared analysis repositories
- Configure crash reporting tools to alert on repeated Wireshark failures
- Consider sandboxing or isolated analysis environments for examining untrusted capture files
How to Mitigate CVE-2024-8250
Immediate Actions Required
- Update Wireshark to the latest patched version immediately
- Avoid opening untrusted capture files until the patch is applied
- Consider temporarily disabling the NTLMSSP dissector if immediate patching is not possible
- Review capture file sources and implement access controls on shared analysis repositories
Patch Information
Wireshark has released security updates to address this vulnerability. Users should upgrade to the latest stable release that includes the fix. Detailed information is available in the Wireshark Security Advisory WNPA-SEC-2024-11. Additional technical details can be found in the GitLab Wireshark Issue tracker. Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Disable the NTLMSSP dissector using Wireshark's protocol preferences (Analyze > Enabled Protocols and uncheck NTLMSSP)
- Use the command-line option -d ntlmssp to disable the dissector when running TShark
- Analyze untrusted capture files in isolated virtual machines or sandboxed environments
- Filter out NTLMSSP traffic before analysis using BPF filters when capturing
# Disable NTLMSSP dissector via command line
wireshark --disable-protocol ntlmssp
# Or for TShark
tshark --disable-protocol ntlmssp -r capture.pcap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
