Project

General

Profile

Actions
Copy link

Security #4504

closed
PM EL

tcp: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets

Security #4504: tcp: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets

Added by Peter Manev almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
7.0.0-beta1
Affected Versions:
Label:
Needs backport to 5.0, Needs backport to 6.0
CVE:
2021-35063
Git IDs:

0d81173d6e912f4be9e3e8f7593d779d8ffed52f
556570f7dd7f21f11cffda5ebcb72738a29cbb90
2c8c043185a4700b042d2154f5076f1c82e5394b

Severity:
CRITICAL
Disclosure Date:

Description

affected versions: all

Please see the pcap attached.
Basically it logs no HTTP even with midstream enabled.

The problem is the first packet right away as it has ACK value that we check and disregard the whole flow/session.But Windows and Linux accept those and everyone else it seems.

Please also see attached a test case(py file) and a patch by Eric.

The pcap can not be shared or made public except of the devs with access to this issue of course.

Files

Download all files
test-nozero-ack.py (403 Bytes) test-nozero-ack.py Peter Manev, 05/28/2021 10:02 AM
0001-stream-tcp-avoid-evasion-by-sending-crafted-SYN-pack.patch (1.78 KB) 0001-stream-tcp-avoid-evasion-by-sending-crafted-SYN-pack.patch Peter Manev, 05/28/2021 10:02 AM

Related issues 2 (0 open2 closed)

Copied to Suricata - Security #4512: Evasion possibility on wrong/unexpected ACK value in crafted SYN packetsClosedVictor JulienActions
Copied to Suricata - Security #4513: Evasion possibility on wrong/unexpected ACK value in crafted SYN packetsClosedJeff LucovskyActions

VJ Updated by Victor Julien almost 5 years ago Actions
Copy link
 #1

  • Tracker changed from Bug to Security
  • Priority changed from Normal to High

VJ Updated by Victor Julien almost 5 years ago Actions
Copy link
 #2

  • Label Needs backport to 5.0, Needs backport to 6.0 added

VJ Updated by Victor Julien almost 5 years ago Actions
Copy link
 #3

  • File deleted (small-eth1-TLPRED.pcap)

JL Updated by Jeff Lucovsky almost 5 years ago Actions
Copy link
 #4

  • Copied to Security #4512: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets added

JL Updated by Jeff Lucovsky almost 5 years ago Actions
Copy link
 #5

  • Copied to Security #4513: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets added

VJ Updated by Victor Julien almost 5 years ago Actions
Copy link
 #6

  • Status changed from New to In Progress
  • Assignee set to Eric Leblond
  • Target version set to 7.0.0-beta1
  • CVE set to 2021-35063

VJ Updated by Victor Julien almost 5 years ago Actions
Copy link
 #7

  • Severity set to CRITICAL

VJ Updated by Victor Julien almost 5 years ago Actions
Copy link
 #8

  • Status changed from In Progress to Closed
  • Priority changed from High to Normal
  • Git IDs updated (diff)

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #9

  • Subject changed from Evasion possibility on wrong/unexpected ACK value in crafted SYN packets to tcp: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #10

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom