Project

General

Profile

Actions

Security #6279

closed

Crash in SMTP parser during parsing of email

Added by Simen Lybekk over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
HIGH
Disclosure Date:

Description

During testing of Suricata 7.0, we've noticed that Suricata occationally exits due to issues with SMTP traffic.

- SCMd5Update+0x00000013
- MimeDecParseLine+0x00000101
- SMTPProcessRequest.isra.15+0x000004ba
- SMTPPreProcessCommands.isra.16+0x0000010b
- SMTPParse+0x00000157
- AppLayerParserParse+0x00000343

The bug has been reproduced on suricata-7.0.0 (21ec99aa7).
Quick testing with SMTP applayer set to detection only and the file logger being configured to force MD5 hashing suggests the issue isn't tied directly to the new Rust MD5 hashing.

We have acquired a copy of the traffic that triggers the flow, and produced a minimal PCAP for reproducing this.
Removing either the Received header or the PIPELINING feature flag stops the crash.


Files

poc-security-6279.pcap (1.53 KB) poc-security-6279.pcap Simen Lybekk, 08/25/2023 02:26 PM

Subtasks 1 (0 open1 closed)

Security #6289: Crash in SMTP parser during parsing of email (6.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (1 open0 closed)

Related to Suricata - Optimization #3591: fuzz: target with pcap, rules and yamlIn ProgressPhilippe AntoineActions
Actions

Also available in: Atom PDF