Description
Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.
Exploits (1)
exploitdb
WRITEUP
by Positive Technologies · textdosmultiple
https://www.exploit-db.com/exploits/44247
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/12/msg00000.html
Third Party Advisory x_refsource_confirm
https://redmine.openinfosecfoundation.org/issues/2427
Vendor Advisory x_refsource_confirm
https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/
Exploit, Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/44247/
Scores
CVSS v3
5.3
EPSS
0.3743
EPSS Percentile
97.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-693
Status
published
Products (2)
debian/debian_linux
8.0
suricata-ids/suricata
< 4.0.4
Published
Feb 07, 2018
Tracked Since
Feb 18, 2026