Actions
Security #5243
closed
PA
PA
protocol detection: exploitable type confusion due to concurrent protocol changes
Security #5243:
protocol detection: exploitable type confusion due to concurrent protocol changes
Affected Versions:
Label:
CVE:
Git IDs:
cedffdf14cf1fdd4d551f16c331e5b3e7f0a6927
Severity:
HIGH
Disclosure Date:
Description
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45941&q=label%3AProj-suricata&can=2
If a STMP session has STARTTLS, it requests AppLayerRequestProtocolChange
We call TCPProtoDetect to rerun protocol detection
So far, so good.
But then, if the protocol is HTTP1 requesting an upgrade, HTTP/1.1 101\nUpgrade:h2c
we call again AppLayerRequestProtocolChange which erases values like alproto_orig which leads to type confusion...
Files
PA Updated by Philippe Antoine almost 4 years ago
- Private changed from No to Yes
PA Updated by Philippe Antoine almost 4 years ago
- Status changed from New to In Review
Gitlab MR
JL Updated by Jeff Lucovsky almost 4 years ago
- Copied to Security #5254: protocol detection: exploitable type confusion due to concurrent protocol changes added
VJ Updated by Victor Julien almost 4 years ago
VJ Updated by Victor Julien almost 4 years ago
- Status changed from In Review to Closed
VJ Updated by Victor Julien almost 4 years ago
- Severity changed from MODERATE to HIGH
PA Updated by Philippe Antoine over 3 years ago
- Related to Feature #5509: App-layer event for protocol change failure added
VJ Updated by Victor Julien over 3 years ago
- Private changed from Yes to No
- Label deleted (
Needs backport, Needs backport to 6.0)
Actions