Project

General

Profile

Actions
Copy link

Bug #1385

closed

DCERPC traffic parsing issue

Added by Victor Julien about 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
2.0.7
Affected Versions:
Effort:
Difficulty:
Label:

Description

This is a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn't clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it's very hard.

It was brought to our attention by the Yahoo Pentest Team.

Actions
Copy link
 #1

Updated by Victor Julien about 9 years ago

  • Subject changed from traffic parsing issue to DCERPC traffic parsing issue
  • Description updated (diff)
  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Victor Julien about 9 years ago

The DCERPC parsing issue has CVE-2015-0928 assigned to it.

Actions
Copy link
 #3

Updated by Victor Julien about 9 years ago

Workaround: disable the parser as follows:

In your suricata.yaml go down to the 'app-layer' section and change 'enabled' to 'no' under 'dcerpc', like so:

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443

      #no-reassemble: yes
    dcerpc:
      enabled: no

After this, restart Suricata.

Actions
Copy link

Also available in: Atom PDF