CVE-2021-45098

An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
VendorProductVersion
oisfsuricata
𝑥
< 6.0.4
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
suricata
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
bookworm
1:6.0.10-1
fixed
sid
1:7.0.7-1
fixed
trixie
1:7.0.7-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
suricata
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
bionic
needs-triage
xenial
needs-triage
trusty
ignored
References
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df
https://github.com/OISF/suricata/releases
https://redmine.openinfosecfoundation.org/issues/4710
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df
https://github.com/OISF/suricata/releases
https://redmine.openinfosecfoundation.org/issues/4710