Security #6987: modbus: txs without responses are never freed - Suricata - Open Information Security Foundation

Actions

Security #6987

closed

modbus: txs without responses are never freed

Added by Philippe Antoine 6 months ago. Updated 4 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

Affected Versions:

Label:

CVE:

Git IDs:

Severity:

MODERATE

Disclosure Date:

07/23/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68270

This can be abused by setting txs with alerts (like app-layer event invalid length) up to the 500 max txs, and then reiterating the 500 alerts for each tx at each packet...

Also, this shows a more generic attack :
A rule like alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) will be triggered multiple times for the same transaction if the transaction lives long

Files

flood.pcap (7.87 MB) flood.pcap

Philippe Antoine, 04/25/2024 07:30 PM

Subtasks 1 (0 open — 1 closed)

Related issues 1 (0 open — 1 closed)

Actions

#1

Updated by OISF Ticketbot 6 months ago

Subtask #6988 added

Actions

#2

Updated by OISF Ticketbot 6 months ago

Label deleted (~~Needs backport to 7.0~~)

Actions

#3

Updated by Philippe Antoine 6 months ago

File flood.pcap flood.pcap added
Label Needs backport to 7.0 added

Reproducer with ./src/suricata -S rules/modbus-events.rules -r flood.pcap -c fuzz.yaml -k none

Actions

#4

Updated by Philippe Antoine 6 months ago

Label deleted (~~Needs backport to 7.0~~)

Actions

#5

Updated by Philippe Antoine 6 months ago

Related to Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) added

Actions

#6

Updated by Philippe Antoine 6 months ago

Status changed from New to In Review

Gitlab MR

Actions

#7

Updated by Jason Ish 6 months ago

Does this require a rule to be present?

Actions

#8

Updated by Philippe Antoine 6 months ago

Jason Ish wrote in #note-7:

Does this require a rule to be present?

Nope

Actions

#9

Updated by Philippe Antoine 6 months ago

Preferred fix would be to track modified txs and iterate only over them

Actions

#10

Updated by Philippe Antoine 6 months ago

Also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68341&q=label%3AProj-suricata

Actions

#12

Updated by Philippe Antoine 5 months ago

New Gitlab MR

Actions

#14

Updated by Victor Julien 4 months ago

Status changed from In Review to Resolved

https://github.com/OISF/suricata/security/advisories/GHSA-59qg-h357-69fq

Actions

#15

Updated by Victor Julien 4 months ago

Status changed from Resolved to Closed

Actions

#16

Updated by Juliana Fajardini Reichow 4 months ago

CVE set to 2024-38534

Actions

#17

Updated by Victor Julien 4 months ago

Private changed from Yes to No

Actions

Also available in: Atom PDF