top of page
Writer's pictureLaura Chappell

In the Wake of XZ - 3 Steps to Use Wireshark Securely

XZ creepy cartoon

The discovery of malicious code in the XZ utils tarball has shaken up a lot of folks. XZ utils have been removed from Github and the following Github advisory was published:


Github advisory:

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.


Let's Talk About Wireshark Security

Wireshark is also an open source project with hundreds of developers who have contributed to the code. Could one of those contributors have malicious intent? Yes. Will they be able to hide malicious code inside Wireshark? Maybe.


You can help protect yourself by following some simple guidelines when using Wireshark.


#1 Keep Wireshark Up to Date!

Each realease of Wireshark includes bug fixes, so stay current with the latest version. Bug fixes are typically listed in the News text file released with each Wireshark version.


#2 Separate Your Capture and Analysis Hosts

capture on one machine - analyze on another machine

You don't need to be a privileged user to run Wireshark. Install Wireshark on a system that will be used for analysis only. Capture using another system (and permit required access) or use another capture tool, such as a tap.


Back at Wireshark version 1, the developers added privilege separation to Wireshark, separating the capture process from the analysis process (something we still push for today for various reasons).


We often separate out these two tasks because we need a better capture tool to keep up with traffic or provide additional features during the capture process. This separation enables us to run Wireshark with fewer privileges and completely separate from the network if desired.


#3 Don't Run Wireshark as Root

You don't need to run Wireshark as Root or Admin. See https://gitlab.com/wireshark/wireshark/-/wikis/Development/PrivilegeSeparation for platform-specific information about capture privileges for virtual machines, Unix, Linux, MacOS, and more.


Npcap configuration window

That Privilege Separation page is a bit outdated for Windows hosts - still referring to the old WinPcap driver. These days, we use the Npcap driver created by Gordon Lyon (the creator of Nmap).




During the installation of Npcap, you can restrict packet capture to Administrators only (although this setting is off by default).


Per the Npcap info page, "If a non-Admin user tries to utilize Npcap through software such as Nmap or Wireshark, the user will have to pass a User Account Control (UAC) dialog to utilize the driver. This is conceptually similar to UNIX, where root access is generally required to capture packets. We've also enabled the Windows ASLR and DEP security features and signed the driver, DLLs, and executables to prevent tampering." (For more information on Npcap, visit https://npcap.com.)


If the XZ utils situation has made you nervous, take some steps now to run Wireshark as securely as possible.


See also:




Comentarios


bottom of page