It was reported [1] that the application parser for SSH integrated in Suricata contains a flaw that might lead to an out-of-bounds access. For this reason a Denial of Service towards the Suricata monitoring software might be possible using crafted packets on the monitoring interface. The application parser for SSH (src/app-layer-ssh.c) contains a function SSHParseBanner. In case the parsed buffer is either "SSH-2.0\r-MySSHClient-0.5.1\n" or "SSH-2.0-\rMySSHClient-0.5.1\n" the function will behave in the wrong way and attempt either a very big memory allocation or an out of bounds array access with negative index, which also might lead to out-of-bounds write access under certain conditions. The problem is caused due to the fact that the end of the banner and start of the software version are computed independently. More information: http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/ [1]: http://seclists.org/fulldisclosure/2014/Sep/79
Created suricata tracking bugs for this issue: Affects: fedora-all [bug 1146021]
suricata-2.0.4-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.