CVE-2021-45098
HIGHSuricata < 6.0.4 - HTTP Signature Bypass via TCP RST Packet Injection
Title source: llmDescription
An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
References (5)
Core 5
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/OISF/suricata/releases
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://redmine.openinfosecfoundation.org/issues/4710
Release Notes, Vendor Advisory x_refsource_misc
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
Patch, Third Party Advisory x_refsource_misc
https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df
Scores
CVSS v3
7.5
EPSS
0.0182
EPSS Percentile
76.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (4)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
oisf/suricata
< 6.0.4
Published
Dec 16, 2021
Tracked Since
Feb 18, 2026