OpenCVE

An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Oisf	Suricata

Configuration 1 [-]

cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

No data.

References

Link	Providers
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df
https://github.com/OISF/suricata/releases
https://redmine.openinfosecfoundation.org/issues/4710

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-12-16T04:07:57

Updated: 2024-08-04T04:32:13.665Z

Reserved: 2021-12-16T00:00:00

Link: CVE-2021-45098

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-16T05:15:08.727

Modified: 2022-01-04T16:48:54.087

Link: CVE-2021-45098

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-16T04:07:57", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/releases"}, {"tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/4710"}, {"tags": ["x_refsource_MISC"], "url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-45098", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OISF/suricata/releases", "refsource": "MISC", "url": "https://github.com/OISF/suricata/releases"}, {"name": "https://redmine.openinfosecfoundation.org/issues/4710", "refsource": "MISC", "url": "https://redmine.openinfosecfoundation.org/issues/4710"}, {"name": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942", "refsource": "MISC", "url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"}, {"name": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df", "refsource": "MISC", "url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.665Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OISF/suricata/releases"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://redmine.openinfosecfoundation.org/issues/4710"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-45098", "datePublished": "2021-12-16T04:07:57", "dateReserved": "2021-12-16T00:00:00", "dateUpdated": "2024-08-04T04:32:13.665Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "58D90161-8343-4EB0-BF64-2EEFFABDCEE6", "versionEndExcluding": "6.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action."}, {"lang": "es", "value": "Se ha detectado un problema en Suricata versiones anteriores a 6.0.4. Es posible omitir/evadir cualquier firma basada en HTTP al falsificar un paquete RST TCP con opciones TCP aleatorias del md5header desde el lado del cliente. Despu\u00e9s del handshake de tres v\u00edas, es posible inyectar un RST ACK con una opci\u00f3n TCP md5header aleatoria. Entonces, el cliente puede enviar una petici\u00f3n HTTP GET con una URL prohibida. El servidor ignorar\u00e1 el RST ACK y enviar\u00e1 el paquete HTTP de respuesta para la petici\u00f3n del cliente. Estos paquetes no desencadenar\u00e1n una acci\u00f3n de rechazo de Suricata"}], "id": "CVE-2021-45098", "lastModified": "2022-01-04T16:48:54.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-16T05:15:08.727", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/OISF/suricata/releases"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://redmine.openinfosecfoundation.org/issues/4710"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}