Suricata Ids Suricata

An issue was discovered in Suricata 5.0.0

CVE-2019-18792 9.1 - Critical - January 06, 2020

An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.

Code Injection

In OISF LibHTP before 0.5.31

CVE-2019-17420 5.3 - Medium - October 10, 2019

In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending.

Improper Input Validation

An issue was discovered in app-layer-ssl.c in Suricata 4.1.4

CVE-2019-15699 9.1 - Critical - September 24, 2019

An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon receiving a corrupted SSLv3 (TLS 1.2) packet, the parser function TLSDecodeHSHelloExtensions tries to access a memory region that is not allocated, because the expected length of HSHelloExtensions does not match the real length of the HSHelloExtensions part of the packet.

Out-of-bounds Read

An issue was discovered in Suricata 4.1.4

CVE-2019-16410 9.1 - Critical - September 24, 2019

An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.

Out-of-bounds Read

An issue was discovered in Suricata 4.1.4

CVE-2019-16411 9.8 - Critical - September 24, 2019

An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 packets that have invalid IPv4Options, the function IPV4OptValidateTimestamp in decode-ipv4.c tries to access a memory region that is not allocated. There is a check for o->len < 5 (corresponding to 2 bytes of header and 3 bytes of data). Then, "flag = *(o->data + 3)" places one beyond the 3 bytes, because the code should have been "flag = *(o->data + 1)" instead.

Out-of-bounds Read

An issue was discovered in Suricata 4.1.3

CVE-2019-10054 7.5 - High - August 28, 2019

An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 lacks a check for the length of reply.data. It causes an invalid memory access and the program crashes within the nfs/nfs3.rs file.

Buffer Overflow

An issue was discovered in Suricata 4.1.3

CVE-2019-10055 7.5 - High - August 28, 2019

An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.

Improper Input Validation

An issue was discovered in Suricata 4.1.3

CVE-2019-10056 7.5 - High - August 28, 2019

An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and doesn't determine the current length. Specifically, if the packet is exactly 28 long, in the first iteration it subtracts 14 bytes. Then, it is working with a packet length of 14. At this point, the case distinction says it is a valid packet. After that it casts the packet, but this packet has no type, and the program crashes at the type case distinction.

Buffer Overflow

An issue was discovered in Suricata 4.1.3

CVE-2019-10051 7.5 - High - August 28, 2019

An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.

Improper Check for Unusual or Exceptional Conditions

An issue was discovered in Suricata 4.1.3

CVE-2019-10052 7.5 - High - August 28, 2019

An issue was discovered in Suricata 4.1.3. If the network packet does not have the right length, the parser tries to access a part of a DHCP packet. At this point, the Rust environment runs into a panic in parse_clientid_option in the dhcp/parser.rs file.

Improper Neutralization

An issue was discovered in Suricata 4.1.x before 4.1.4

CVE-2019-10053 9.8 - Critical - May 13, 2019

An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow.

Integer underflow

Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/IP PDU

CVE-2018-10244 9.8 - Critical - April 04, 2019

Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/IP PDU. A malformed PDU can cause the parsing code to read beyond the allocated data because DecodeENIPPDU in app-layer-enip-commmon.c has an integer overflow during a length check.

Integer Overflow or Wraparound

Suricata version 4.0.4 incorrectly handles the parsing of the SSH banner

CVE-2018-10242 7.5 - High - April 04, 2019

Suricata version 4.0.4 incorrectly handles the parsing of the SSH banner. A malformed SSH banner can cause the parsing code to read beyond the allocated data because SSHParseBanner in app-layer-ssh.c lacks a length check.

Out-of-bounds Read

The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x before 4.0.6

CVE-2018-18956 7.5 - High - November 05, 2018

The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x before 4.0.6 allows remote attackers to cause a denial of service (segfault and daemon crash) via crafted input to the SMTP parser, as exploited in the wild in November 2018.

Buffer Overflow

Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from a server

CVE-2018-14568 7.5 - High - July 23, 2018

Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from a server. This allows detection bypass because Windows TCP clients proceed with normal processing of TCP data that arrives shortly after an RST (i.e., they act as if the RST had not yet been received).

Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c

CVE-2018-6794 5.3 - Medium - February 07, 2018

Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.

Protection Mechanism Failure