CVE-2018-6794 - OpenCVE

Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Suricata-ids	Suricata

Configuration 1 [-]

cpe:2.3:a:suricata-ids:suricata:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html	Mailing List Third Party Advisory
https://redmine.openinfosecfoundation.org/issues/2427	Third Party Advisory
https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/	Vendor Advisory
https://www.exploit-db.com/exploits/44247/	Exploit Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-07T05:00:00

Updated: 2018-12-05T10:57:01

Reserved: 2018-02-06T00:00:00

Link: CVE-2018-6794

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-02-07T05:29:00.260

Modified: 2019-03-01T23:33:08.113

Link: CVE-2018-6794

JSON object: View

Redhat Information

No data.

CWE

CWE-693

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-02-06T00:00:00", "descriptions": [{"lang": "en", "value": "Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-05T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1"}, {"name": "[debian-lts-announce] 20181204 [SECURITY] [DLA 1603-1] suricata security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://redmine.openinfosecfoundation.org/issues/2427"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/"}, {"name": "44247", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/44247/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-6794", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1", "refsource": "CONFIRM", "url": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1"}, {"name": "[debian-lts-announce] 20181204 [SECURITY] [DLA 1603-1] suricata security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html"}, {"name": "https://redmine.openinfosecfoundation.org/issues/2427", "refsource": "CONFIRM", "url": "https://redmine.openinfosecfoundation.org/issues/2427"}, {"name": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/", "refsource": "CONFIRM", "url": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/"}, {"name": "44247", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/44247/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-6794", "datePublished": "2018-02-07T05:00:00", "dateReserved": "2018-02-06T00:00:00", "dateUpdated": "2018-12-05T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suricata-ids:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BF4519B-F9BA-4476-B76E-BD28796301E8", "versionEndExcluding": "4.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual."}, {"lang": "es", "value": "Suricata en versiones anteriores a la 4.0.4 es propenso a una vulnerabilidad de omisi\u00f3n de detecci\u00f3n HTTP en detect.c y stream-tcp.c. Si un servidor malicioso interrumpe un flujo TCP normal y env\u00eda datos antes de que se complete el handshake tridireccional, los datos enviados por el servidor malicioso se aceptar\u00e1n por parte de clientes web como el navegador web o herramientas de interfaz de l\u00ednea de comandos de Linux, pero las firmas IDS de Suricata los ignorar\u00e1n. Esto afecta a la mayor\u00eda de firmas IDS para el contenido del flujo TCP y los protocolos HTTP. Las firmas para los paquetes TCP inspeccionar\u00e1n ese tr\u00e1fico de red como de costumbre."}], "id": "CVE-2018-6794", "lastModified": "2019-03-01T23:33:08.113", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-07T05:29:00.260", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://redmine.openinfosecfoundation.org/issues/2427"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/44247/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "nvd@nist.gov", "type": "Primary"}]}