CVE-2019-18792

CRITICAL

Suricata 5.0.0 - SSRF

Title source: llm

Description

An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.

References (5)

[Exploit, Third Party Advisory] https://redmine.openinfosecfoundation.org/issues/3324

[Patch, Third Party Advisory] https://github.com/OISF/suricata/commit/fa692df37a796c3330c81988d15ef1a219afc006

[Exploit, Third Party Advisory] https://redmine.openinfosecfoundation.org/issues/3394

[Patch, Third Party Advisory] https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b

View Patch ZIP pw:eip

[Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/01/msg00032.html

Scores

CVSS v3 9.1

EPSS 0.0018

EPSS Percentile 39.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-436

Status published

Products (3)

debian/debian_linux 8.0

oisf/suricata 5.0.0

oisf/suricata 4.1.5 - 4.1.6

Published Jan 06, 2020

Tracked Since Feb 18, 2026