Vulnerability Name:

CVE-2021-45098 (CCN-215537)

Assigned:2021-09-26
Published:2021-09-26
Updated:2022-01-04
Summary:An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-45098

Source: XF
Type: UNKNOWN
suricata-cve202145098-sec-bypass(215537)

Source: MISC
Type: Release Notes, Vendor Advisory
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/OISF/suricata/releases

Source: CCN
Type: Redmine Web site
tcp: Bypass of Payload Detection on TCP RST with options of MD5header

Source: MISC
Type: Exploit, Issue Tracking, Patch, Vendor Advisory
https://redmine.openinfosecfoundation.org/issues/4710

Source: CCN
Type: Suricata Web site
Suricata

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oisf:suricata:*:*:*:*:*:*:*:* (Version < 6.0.4)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oisf:suricata:6.0.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    oisf suricata *
    debian debian linux 9.0
    debian debian linux 10.0
    debian debian linux 11.0
    oisf suricata 6.0.3