Bug #1385
closed
DCERPC traffic parsing issue
Added by Victor Julien almost 10 years ago.
Updated over 9 years ago.
Description
This is a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn't clear, but it could certainly lead to crashes. RCE might theoretically be possible but looks like it's very hard.
It was brought to our attention by the Yahoo Pentest Team.
- Subject changed from traffic parsing issue to DCERPC traffic parsing issue
- Description updated (diff)
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
The DCERPC parsing issue has CVE-2015-0928 assigned to it.
Workaround: disable the parser as follows:
In your suricata.yaml go down to the 'app-layer' section and change 'enabled' to 'no' under 'dcerpc', like so:
app-layer:
protocols:
tls:
enabled: yes
detection-ports:
dp: 443
#no-reassemble: yes
dcerpc:
enabled: no
After this, restart Suricata.
Also available in: Atom
PDF