Project

General

Profile

Actions
Copy link

Security #6866

closed

eve: excessive ssh long banner logging

Added by Victor Julien about 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2024-28870
Git IDs:
Severity:
HIGH
Disclosure Date:
02/19/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64345&q=label%3AProj-suricata&can=2

Fuzz target triggers the following rule
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED packet out of window"; stream-event:est_packet_out_of_window; classtype:protocol-command-decode; sid:2210020; rev:2;)
on many packets leading to most time spent in jsonbuild set_string_from_bytes (doing escaping on binary buffer) for dummy overlong ssh software version

Files

sshlong.pcap (552 KB) sshlong.pcap Philippe Antoine, 02/12/2024 12:05 PM

Subtasks 2 (0 open2 closed)

Security #6867: eve: excessive ssh long banner logging (6.0.x backport)ClosedPhilippe AntoineActions
Security #6868: eve: excessive ssh long banner logging (7.0.x backport)ClosedPhilippe AntoineActions
Actions
Copy link
 #2

Updated by OISF Ticketbot about 2 months ago

  • Subtask #6867 added
Actions
Copy link
 #3

Updated by OISF Ticketbot about 2 months ago

  • Label deleted (Needs backport to 6.0)
Actions
Copy link
 #4

Updated by OISF Ticketbot about 2 months ago

  • Subtask #6868 added
Actions
Copy link
 #5

Updated by OISF Ticketbot about 2 months ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #6

Updated by Philippe Antoine about 2 months ago

Why is this marked as resolved ?

Actions
Copy link
 #7

Updated by Victor Julien about 2 months ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF