CVE-2018-6794
CVE-2018-6794
Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.
Affected products
n/a · n/apublic PoCs found — 2
cve_referencewww.exploit-db.com/exploits/44247/unverifiedexploitdbwww.exploit-db.com/exploits/44247unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1https://lists.debian.org/debian-lts-announce/2018/12/msg00000.htmlhttps://redmine.openinfosecfoundation.org/issues/2427https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/https://www.exploit-db.com/exploits/44247/