Actions
Security #6987
closedmodbus: txs without responses are never freed
Git IDs:
Severity:
MODERATE
Disclosure Date:
07/23/2024
Description
Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68270
This can be abused by setting txs with alerts (like app-layer event invalid length) up to the 500 max txs, and then reiterating the 500 alerts for each tx at each packet...
Also, this shows a more generic attack :
A rule like alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;)
will be triggered multiple times for the same transaction if the transaction lives long
Files
Updated by Philippe Antoine 8 months ago
- File flood.pcap flood.pcap added
- Label Needs backport to 7.0 added
Reproducer with ./src/suricata -S rules/modbus-events.rules -r flood.pcap -c fuzz.yaml -k none
Updated by Philippe Antoine 8 months ago
- Related to Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) added
Updated by Philippe Antoine 8 months ago
Updated by Philippe Antoine 7 months ago
Preferred fix would be to track modified txs and iterate only over them
Updated by Philippe Antoine 7 months ago
Updated by Victor Julien 6 months ago
- Status changed from In Review to Resolved
Actions