Project

General

Profile

Actions

Security #6987

closed

modbus: txs without responses are never freed

Added by Philippe Antoine 8 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
MODERATE
Disclosure Date:
07/23/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68270

This can be abused by setting txs with alerts (like app-layer event invalid length) up to the 500 max txs, and then reiterating the 500 alerts for each tx at each packet...

Also, this shows a more generic attack :
A rule like alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) will be triggered multiple times for the same transaction if the transaction lives long


Files

flood.pcap (7.87 MB) flood.pcap Philippe Antoine, 04/25/2024 07:30 PM

Subtasks 1 (0 open1 closed)

Security #6988: modbus: txs without responses are never freed (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (0 open1 closed)

Related to Suricata - Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...)ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF