[Buildroot] [PATCH v2, 1/1] package/suricata: fix CVE-2019-18792
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Mar 1 07:42:32 UTC 2020
Fabrice, All,
On 2020-02-29 23:46 +0100, Fabrice Fontaine spake thusly:
> An issue was discovered in Suricata 5.0.0. It is possible to
> bypass/evade any tcp based signature by overlapping a TCP segment with a
> fake FIN packet. The fake FIN packet is injected just before the PUSH
> ACK packet we want to bypass. The PUSH ACK packet (containing the data)
> will be ignored by Suricata because it overlaps the FIN packet (the
> sequence and ack number are identical in the two packets). The client
> will ignore the fake FIN packet because the ACK flag is not set. Both
> linux and windows clients are ignoring the injected packet.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> Changes v1 -> v2:
> - Fix trailing whitespace
>
> ...004-stream-reject-broken-ACK-packets.patch | 40 +++++++++++++++++++
> package/suricata/suricata.mk | 3 ++
> 2 files changed, 43 insertions(+)
> create mode 100644 package/suricata/0004-stream-reject-broken-ACK-packets.patch
>
> diff --git a/package/suricata/0004-stream-reject-broken-ACK-packets.patch b/package/suricata/0004-stream-reject-broken-ACK-packets.patch
> new file mode 100644
> index 0000000000..9670d73158
> --- /dev/null
> +++ b/package/suricata/0004-stream-reject-broken-ACK-packets.patch
> @@ -0,0 +1,40 @@
> +From 1c63d3905852f746ccde7e2585600b2199cefb4b Mon Sep 17 00:00:00 2001
> +From: Victor Julien <victor at inliniac.net>
> +Date: Thu, 21 Nov 2019 16:10:21 +0100
> +Subject: [PATCH] stream: reject broken ACK packets
> +
> +Fix evasion posibility by rejecting packets with a broken ACK field.
> +These packets have a non-0 ACK field, but do not have a ACK flag set.
> +
> +Bug #3324.
> +
> +Reported-by: Nicolas Adba
> +(cherry picked from commit fa692df37a796c3330c81988d15ef1a219afc006)
> +[Retrieved from:
> +https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> +---
> + src/stream-tcp.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/stream-tcp.c b/src/stream-tcp.c
> +index 35e489acba..8653d670c6 100644
> +--- a/src/stream-tcp.c
> ++++ b/src/stream-tcp.c
> +@@ -4759,6 +4759,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
> + /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
> + if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
> + StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
> ++ goto error;
> + }
> +
> + /* If we are on IPS mode, and got a drop action triggered from
> +@@ -6883,7 +6884,7 @@ static int StreamTcpTest10 (void)
> +
> + tcph.th_win = htons(5480);
> + tcph.th_seq = htonl(10);
> +- tcph.th_ack = htonl(11);
> ++ tcph.th_ack = 0;
> + tcph.th_flags = TH_SYN;
> + p->tcph = &tcph;
> +
> diff --git a/package/suricata/suricata.mk b/package/suricata/suricata.mk
> index b1f0e18dbc..48a6205eed 100644
> --- a/package/suricata/suricata.mk
> +++ b/package/suricata/suricata.mk
> @@ -11,6 +11,9 @@ SURICATA_LICENSE_FILES = COPYING LICENSE
> # We're patching configure.ac
> SURICATA_AUTORECONF = YES
>
> +# 0004-stream-reject-broken-ACK-packets.patch
> +SURICATA_IGNORE_CVES += CVE-2019-18792
> +
> SURICATA_DEPENDENCIES = \
> host-pkgconf \
> $(if $(BR2_PACKAGE_JANSSON),jansson) \
> --
> 2.25.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list