Project

General

Profile

Actions
Copy link

Security #6987

closed
PA PA

modbus: txs without responses are never freed

Security #6987: modbus: txs without responses are never freed

Added by Philippe Antoine almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2024-38534
Git IDs:
Severity:
MODERATE
Disclosure Date:
07/23/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68270

This can be abused by setting txs with alerts (like app-layer event invalid length) up to the 500 max txs, and then reiterating the 500 alerts for each tx at each packet...

Also, this shows a more generic attack :
A rule like alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) will be triggered multiple times for the same transaction if the transaction lives long

Files

flood.pcap (7.87 MB) flood.pcap Philippe Antoine, 04/25/2024 07:30 PM

Subtasks 1 (0 open1 closed)

Security #6988: modbus: txs without responses are never freed (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 3 (0 open3 closed)

Related to Suricata - Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...)ClosedPhilippe AntoineActions
Related to Suricata - Security #6770: log: arbitrary-length value can be loggedClosedOISF DevActions
Related to Suricata - Optimization #7087: app-layer: track modified transactionsClosedPhilippe AntoineActions

OT Updated by OISF Ticketbot almost 2 years ago Actions
Copy link
 #1

  • Subtask #6988 added

OT Updated by OISF Ticketbot almost 2 years ago Actions
Copy link
 #2

  • Label deleted (Needs backport to 7.0)

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #3

Reproducer with ./src/suricata -S rules/modbus-events.rules -r flood.pcap -c fuzz.yaml -k none

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #4

  • Label deleted (Needs backport to 7.0)

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #5

  • Related to Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) added

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #6

  • Status changed from New to In Review

Gitlab MR

JI Updated by Jason Ish almost 2 years ago Actions
Copy link
 #7

Does this require a rule to be present?

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #8

Jason Ish wrote in #note-7:

Does this require a rule to be present?

Nope

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #9

Preferred fix would be to track modified txs and iterate only over them

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #11

  • Related to Security #6770: log: arbitrary-length value can be logged added

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #12

New Gitlab MR

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #13

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #15

  • Status changed from Resolved to Closed

JF Updated by Juliana Fajardini Reichow almost 2 years ago Actions
Copy link
 #16

  • CVE set to 2024-38534

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #17

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom