Actions
Security #5243
closedprotocol detection: exploitable type confusion due to concurrent protocol changes
Affected Versions:
Label:
CVE:
Git IDs:
cedffdf14cf1fdd4d551f16c331e5b3e7f0a6927
Severity:
HIGH
Disclosure Date:
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45941&q=label%3AProj-suricata&can=2
If a STMP session has STARTTLS, it requests AppLayerRequestProtocolChange
We call TCPProtoDetect
to rerun protocol detection
So far, so good.
But then, if the protocol is HTTP1 requesting an upgrade, HTTP/1.1 101\nUpgrade:h2c
we call again AppLayerRequestProtocolChange
which erases values like alproto_orig
which leads to type confusion...
Files
Updated by Jeff Lucovsky over 2 years ago
- Copied to Security #5254: protocol detection: exploitable type confusion due to concurrent protocol changes added
Updated by Victor Julien over 2 years ago
- Git IDs updated (diff)
Updated by Victor Julien over 2 years ago
- Status changed from In Review to Closed
Updated by Victor Julien over 2 years ago
- Severity changed from MODERATE to HIGH
Updated by Philippe Antoine over 2 years ago
- Related to Feature #5509: App-layer event for protocol change failure added
Updated by Victor Julien about 2 years ago
- Private changed from Yes to No
- Label deleted (
Needs backport, Needs backport to 6.0)
Actions