CVE-2019-18792
CRITICALSuricata 5.0.0 - TCP Signature Bypass via Overlapping FIN Packet
Title source: llmDescription
An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://redmine.openinfosecfoundation.org/issues/3324
Patch, Third Party Advisory x_refsource_confirm
https://github.com/OISF/suricata/commit/fa692df37a796c3330c81988d15ef1a219afc006
Exploit, Third Party Advisory x_refsource_misc
https://redmine.openinfosecfoundation.org/issues/3394
Patch, Third Party Advisory x_refsource_confirm
https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00032.html
Scores
CVSS v3
9.1
EPSS
0.0252
EPSS Percentile
82.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-436
Status
published
Products (3)
debian/debian_linux
8.0
oisf/suricata
5.0.0
oisf/suricata
4.1.5 - 4.1.6
Published
Jan 06, 2020
Tracked Since
Feb 18, 2026