CVE-2021-45098

HIGH

Suricata < 6.0.4 - HTTP Signature Bypass via TCP RST Packet Injection

Title source: llm
STIX 2.1

Description

An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.

References (5)

Core 5
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/OISF/suricata/releases
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://redmine.openinfosecfoundation.org/issues/4710
Release Notes, Vendor Advisory x_refsource_misc
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942

Scores

CVSS v3 7.5
EPSS 0.0182
EPSS Percentile 76.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

Status published
Products (4)
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
oisf/suricata < 6.0.4
Published Dec 16, 2021
Tracked Since Feb 18, 2026