Project

General

Profile

Actions

Security #6987

closed

modbus: txs without responses are never freed

Added by Philippe Antoine 7 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
MODERATE
Disclosure Date:
07/23/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68270

This can be abused by setting txs with alerts (like app-layer event invalid length) up to the 500 max txs, and then reiterating the 500 alerts for each tx at each packet...

Also, this shows a more generic attack :
A rule like alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) will be triggered multiple times for the same transaction if the transaction lives long


Files

flood.pcap (7.87 MB) flood.pcap Philippe Antoine, 04/25/2024 07:30 PM

Subtasks 1 (0 open1 closed)

Security #6988: modbus: txs without responses are never freed (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (0 open1 closed)

Related to Suricata - Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...)ClosedPhilippe AntoineActions
Actions #1

Updated by OISF Ticketbot 7 months ago

  • Subtask #6988 added
Actions #2

Updated by OISF Ticketbot 7 months ago

  • Label deleted (Needs backport to 7.0)
Actions #3

Updated by Philippe Antoine 7 months ago

Reproducer with ./src/suricata -S rules/modbus-events.rules -r flood.pcap -c fuzz.yaml -k none

Actions #4

Updated by Philippe Antoine 7 months ago

  • Label deleted (Needs backport to 7.0)
Actions #5

Updated by Philippe Antoine 7 months ago

  • Related to Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) added
Actions #6

Updated by Philippe Antoine 7 months ago

  • Status changed from New to In Review

Gitlab MR

Actions #7

Updated by Jason Ish 7 months ago

Does this require a rule to be present?

Actions #8

Updated by Philippe Antoine 7 months ago

Jason Ish wrote in #note-7:

Does this require a rule to be present?

Nope

Actions #9

Updated by Philippe Antoine 6 months ago

Preferred fix would be to track modified txs and iterate only over them

Actions #12

Updated by Philippe Antoine 6 months ago

New Gitlab MR

Actions #14

Updated by Victor Julien 5 months ago

  • Status changed from In Review to Resolved
Actions #15

Updated by Victor Julien 5 months ago

  • Status changed from Resolved to Closed
Actions #16

Updated by Juliana Fajardini Reichow 5 months ago

  • CVE set to 2024-38534
Actions #17

Updated by Victor Julien 4 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF