1543249 – (CVE-2018-6794) CVE-2018-6794 suricata: HTTP detection bypass in detect.c and stream-tcp.c

Bug 1543249 (CVE-2018-6794) - CVE-2018-6794 suricata: HTTP detection bypass in detect.c and stream-tcp.c

Summary: CVE-2018-6794 suricata: HTTP detection bypass in detect.c and stream-tcp.c

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-6794
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1543250 1543251
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-08 05:17 UTC by Sam Fowler
Modified:	2019-09-29 14:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:	suricata 4.1
Clone Of:
Environment:
Last Closed:	2018-09-17 23:04:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-02-08 05:17:55 UTC

Suricata before 4.1 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.


Upstream Bug:

https://redmine.openinfosecfoundation.org/issues/2427


Upstream Commit:

https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1

Comment 1 Sam Fowler 2018-02-08 05:18:15 UTC

Created suricata tracking bugs for this issue:

Affects: epel-all [bug 1543251]
Affects: fedora-all [bug 1543250]

Note You need to log in before you can comment on or make changes to this bug.