OpenCVE

Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Suricata-ids	Suricata

Configuration 1 [-]

cpe:2.3:a:suricata-ids:suricata:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1
https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html
https://redmine.openinfosecfoundation.org/issues/2427
https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/
https://www.exploit-db.com/exploits/44247/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-07T05:00:00

Updated: 2024-08-05T06:10:11.364Z

Reserved: 2018-02-06T00:00:00

Link: CVE-2018-6794

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-02-07T05:29:00.260

Modified: 2019-03-01T23:33:08.113

Link: CVE-2018-6794

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-02-06T00:00:00", "descriptions": [{"lang": "en", "value": "Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-05T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1"}, {"name": "[debian-lts-announce] 20181204 [SECURITY] [DLA 1603-1] suricata security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://redmine.openinfosecfoundation.org/issues/2427"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/"}, {"name": "44247", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/44247/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-6794", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1", "refsource": "CONFIRM", "url": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1"}, {"name": "[debian-lts-announce] 20181204 [SECURITY] [DLA 1603-1] suricata security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html"}, {"name": "https://redmine.openinfosecfoundation.org/issues/2427", "refsource": "CONFIRM", "url": "https://redmine.openinfosecfoundation.org/issues/2427"}, {"name": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/", "refsource": "CONFIRM", "url": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/"}, {"name": "44247", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/44247/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:10:11.364Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1"}, {"name": "[debian-lts-announce] 20181204 [SECURITY] [DLA 1603-1] suricata security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://redmine.openinfosecfoundation.org/issues/2427"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/"}, {"name": "44247", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/44247/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-6794", "datePublished": "2018-02-07T05:00:00", "dateReserved": "2018-02-06T00:00:00", "dateUpdated": "2024-08-05T06:10:11.364Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suricata-ids:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BF4519B-F9BA-4476-B76E-BD28796301E8", "versionEndExcluding": "4.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual."}, {"lang": "es", "value": "Suricata en versiones anteriores a la 4.0.4 es propenso a una vulnerabilidad de omisi\u00f3n de detecci\u00f3n HTTP en detect.c y stream-tcp.c. Si un servidor malicioso interrumpe un flujo TCP normal y env\u00eda datos antes de que se complete el handshake tridireccional, los datos enviados por el servidor malicioso se aceptar\u00e1n por parte de clientes web como el navegador web o herramientas de interfaz de l\u00ednea de comandos de Linux, pero las firmas IDS de Suricata los ignorar\u00e1n. Esto afecta a la mayor\u00eda de firmas IDS para el contenido del flujo TCP y los protocolos HTTP. Las firmas para los paquetes TCP inspeccionar\u00e1n ese tr\u00e1fico de red como de costumbre."}], "id": "CVE-2018-6794", "lastModified": "2019-03-01T23:33:08.113", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-07T05:29:00.260", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://redmine.openinfosecfoundation.org/issues/2427"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/44247/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "nvd@nist.gov", "type": "Primary"}]}