CVE-2023-3649 is a buffer over-read vulnerability categorized under CWE-126 found in the iSCSI protocol dissector component of Wireshark versions 4.0.0 through 4.0.6. The flaw arises when Wireshark processes specially crafted iSCSI packets or capture files, leading to reading beyond the allocated buffer boundaries. This improper memory access causes the application to crash, resulting in a denial of service condition. The vulnerability does not require elevated privileges but does require user interaction, such as opening a malicious capture file or receiving a malicious packet during live capture. The attack vector is local or adjacent network (AV:L), with low attack complexity (AC:L). The impact affects confidentiality, integrity, and availability to a limited degree, primarily through application crash and potential information leakage from buffer over-read. No public exploits have been reported, and no patches are currently linked, indicating the need for vendor updates. Wireshark is widely used by network administrators and security analysts for packet inspection and forensic analysis, making this vulnerability relevant in environments where untrusted capture files might be opened or malicious traffic could be injected.

For European organizations, the primary impact is denial of service on systems running vulnerable Wireshark versions, potentially disrupting network monitoring and forensic activities. This can delay incident response and network troubleshooting, especially in security operations centers (SOCs) and large enterprises relying on Wireshark for packet analysis. The buffer over-read could also lead to limited information disclosure, though no evidence suggests widespread data leakage. Organizations handling sensitive network traffic or critical infrastructure may face operational risks if attackers exploit this vulnerability to crash analysis tools during incident investigations. The requirement for user interaction and local or adjacent network access limits remote exploitation but does not eliminate risk in environments where untrusted capture files are shared or malicious packets can be injected into monitored networks. The medium severity rating reflects these factors, emphasizing the need for cautious handling of capture files and network traffic in sensitive environments.

European organizations should implement the following specific mitigations: 1) Immediately restrict usage of Wireshark versions 4.0.0 to 4.0.6, especially in production or critical environments. 2) Monitor vendor communications and apply patches as soon as they become available. 3) Enforce strict policies to avoid opening capture files from untrusted or unknown sources. 4) Use sandboxed or isolated environments for packet analysis to contain potential crashes and prevent impact on critical systems. 5) Employ network segmentation and filtering to limit exposure to malicious iSCSI packets, particularly in environments where Wireshark is used for live capture. 6) Educate SOC and network teams about the risks of crafted capture files and encourage verification of file provenance before analysis. 7) Consider alternative packet analysis tools temporarily if patching is delayed, to maintain operational continuity.