CVE-2019-18625

EUVD-2019-8349
An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. After the TCP SYN packet, it is possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client will ignore the RST ACK and the FIN ACK packets because of the bad TCP Timestamp option. Both linux and windows client are ignoring the injected packets.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
oisfsuricata
5.0.0
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
suricata
bookworm
1:6.0.10-1
fixed
bullseye
1:6.0.1-3
fixed
buster
no-dsa
sid
1:7.0.7-1
fixed
stretch
no-dsa
trixie
1:7.0.7-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
suricata
bionic
needs-triage
disco
ignored
eoan
ignored
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needs-triage
References
https://github.com/OISF/suricata/commit/9f0294fadca3dcc18c919424242a41e01f3e8318
https://github.com/OISF/suricata/commit/ea0659de7640cf6a51de5bbd1dbbb0414e4623a0
https://lists.debian.org/debian-lts-announce/2020/01/msg00032.html
https://redmine.openinfosecfoundation.org/issues/3286
https://redmine.openinfosecfoundation.org/issues/3395
https://github.com/OISF/suricata/commit/9f0294fadca3dcc18c919424242a41e01f3e8318
https://github.com/OISF/suricata/commit/ea0659de7640cf6a51de5bbd1dbbb0414e4623a0
https://lists.debian.org/debian-lts-announce/2020/01/msg00032.html
https://redmine.openinfosecfoundation.org/issues/3286
https://redmine.openinfosecfoundation.org/issues/3395