Project

General

Profile

Actions
Copy link

Bug #1385

closed
VJ VJ

DCERPC traffic parsing issue

Bug #1385: DCERPC traffic parsing issue

Added by Victor Julien about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
2.0.7
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn't clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it's very hard.

It was brought to our attention by the Yahoo Pentest Team.

VJ Updated by Victor Julien about 11 years ago Actions
Copy link
 #1

  • Subject changed from traffic parsing issue to DCERPC traffic parsing issue
  • Description updated (diff)
  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

VJ Updated by Victor Julien about 11 years ago Actions
Copy link
 #2

The DCERPC parsing issue has CVE-2015-0928 assigned to it.

VJ Updated by Victor Julien about 11 years ago Actions
Copy link
 #3

Workaround: disable the parser as follows:

In your suricata.yaml go down to the 'app-layer' section and change 'enabled' to 'no' under 'dcerpc', like so:

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443

      #no-reassemble: yes
    dcerpc:
      enabled: no

After this, restart Suricata.

Actions
Copy link

Also available in: PDF Atom