Project

General

Profile

Actions

Bug #1385

closed

DCERPC traffic parsing issue

Added by Victor Julien over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn't clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it's very hard.

It was brought to our attention by the Yahoo Pentest Team.

Actions #1

Updated by Victor Julien over 9 years ago

  • Subject changed from traffic parsing issue to DCERPC traffic parsing issue
  • Description updated (diff)
  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions #2

Updated by Victor Julien over 9 years ago

The DCERPC parsing issue has CVE-2015-0928 assigned to it.

Actions #3

Updated by Victor Julien over 9 years ago

Workaround: disable the parser as follows:

In your suricata.yaml go down to the 'app-layer' section and change 'enabled' to 'no' under 'dcerpc', like so:

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443

      #no-reassemble: yes
    dcerpc:
      enabled: no

After this, restart Suricata.

Actions

Also available in: Atom PDF