Security #4513: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets - Suricata - Open Information Security Foundation

Actions

Copy link

Security #4513

closed

Evasion possibility on wrong/unexpected ACK value in crafted SYN packets

Added by Jeff Lucovsky over 3 years ago. Updated about 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

5.0.7

Affected Versions:

5.0.6

Label:

CVE:

2021-35063

Git IDs:

f61ef79781605a5d1d75d8bf023da9552f781301

Severity:

CRITICAL

Disclosure Date:

Description

affected versions: all

Please see the pcap attached.
Basically it logs no HTTP even with midstream enabled.

The problem is the first packet right away as it has ACK value that we check and disregard the whole flow/session.But Windows and Linux accept those and everyone else it seems.

Please also see attached a test case(py file) and a patch by Eric.

The pcap can not be shared or made public except of the devs with access to this issue of course.

Files

Download all files

test-nozero-ack.py (403 Bytes) test-nozero-ack.py		Peter Manev, 05/28/2021 10:02 AM
0001-stream-tcp-avoid-evasion-by-sending-crafted-SYN-pack.patch (1.78 KB) 0001-stream-tcp-avoid-evasion-by-sending-crafted-SYN-pack.patch		Peter Manev, 05/28/2021 10:02 AM

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Security #4513

Evasion possibility on wrong/unexpected ACK value in crafted SYN packets

Updated by Jeff Lucovsky over 3 years ago

Updated by Jeff Lucovsky over 3 years ago

Updated by Jeff Lucovsky over 3 years ago

Updated by Victor Julien over 3 years ago

Updated by Victor Julien over 3 years ago

Updated by Victor Julien about 3 years ago