Bug #3328: bad ip option evasion - Suricata - Open Information Security Foundation

Actions

Bug #3328

closed

bad ip option evasion

Added by Nicolas Adba over 4 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

Suricata is vulnerable to bad ip option evasions.
Here are the pcaps of issue number 3286 with a bad ipv4 option.

I don't think it's exploitable in the wild because routers should drop the injected packets (I didn't test it thought).

Files

Download all files

with_evasion_windows.pcap (1.26 KB) with_evasion_windows.pcap		Nicolas Adba, 11/07/2019 08:25 PM
with_evasion_linux.pcap (1.43 KB) with_evasion_linux.pcap		Nicolas Adba, 11/07/2019 08:25 PM
without_evasion.pcap (1.01 KB) without_evasion.pcap		Nicolas Adba, 11/07/2019 08:25 PM
test.rule (147 Bytes) test.rule		Nicolas Adba, 11/07/2019 08:25 PM

Related issues 1 (0 open — 1 closed)

Actions

#1

Updated by Andreas Herz over 4 years ago

Assignee set to OISF Dev
Target version set to 70

Actions

#2

Updated by Victor Julien over 4 years ago

Status changed from New to Assigned
Assignee changed from OISF Dev to Jason Ish
Target version changed from 70 to 5.0.1

Actions

#3

Updated by Victor Julien over 4 years ago

Priority changed from Normal to High
Label Needs backport added

Actions

#4

Updated by Victor Julien over 4 years ago

Status changed from Assigned to Closed
Priority changed from High to Normal
Private changed from Yes to No
Label deleted (~~Needs backport~~)

https://github.com/OISF/suricata/commit/df8db1ddb0736300bad4a7fee811d333ab77cb54
https://github.com/OISF/suricata/commit/8609939e60cdd52dc1745e2eeb5dc3db275acd13

Actions

#5

Updated by Victor Julien over 4 years ago

Copied to Bug #3414: bad ip option evasion (4.1.x) added

Actions

Also available in: Atom PDF