Project

General

Profile

Actions
Copy link

Security #7067

closed

defrag: off by one leads to possible evasion

Added by Philippe Antoine 4 months ago. Updated 2 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Label:
CVE:
2024-45796
Git IDs:
Severity:
HIGH
Disclosure Date:
09/04/2024

Description

Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69475

Regression on 26th of April cf https://github.com/OISF/suricata/compare/ad4185b3c4fdcdfd0eac44a5ddf6bc7484c35bda...4fedba11404ea6548fd2ed319adf4b78a56180b4

Victor, I leave you this new one, cc @Jason Ish

Files

Download all files
lolc.pcap (129 KB) lolc.pcap Philippe Antoine, 06/11/2024 08:15 AM
lole.pcap (300 Bytes) lole.pcap Philippe Antoine, 06/11/2024 08:55 AM

Subtasks 1 (0 open1 closed)

Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)ClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Philippe Antoine 4 months ago

Ouch `tracker->ip_hdr_offset` 4 is greater than GET_PKT_LEN(r) 0

Actions
Copy link
 #2

Updated by Victor Julien 4 months ago

Do you have pcap?

Actions
Copy link
 #3

Updated by Philippe Antoine 4 months ago

  • File lol.pcap added

The pcap does trigger only on fuzz_decodepcapfile, not on suricata

Actions
Copy link
 #4

Updated by Philippe Antoine 4 months ago

Here is a pcap reproducer

I had to do mergecap -a -w lolc.pcap lolb.pcap lolb.pcap because fuzzing runs the input twice (to check for leaks)

Actions
Copy link
 #5

Updated by Philippe Antoine 4 months ago

  • File deleted (lol.pcap)
Actions
Copy link
 #6

Updated by Philippe Antoine 4 months ago

Minimized reproducer

Actions
Copy link
 #7

Updated by Victor Julien 4 months ago

  • Status changed from New to Assigned
Actions
Copy link
 #8

Updated by Philippe Antoine 3 months ago

  • Status changed from Assigned to In Review

Gitlab MR

Actions
Copy link
 #9

Updated by Philippe Antoine 2 months ago

  • Label Needs backport to 7.0 added
Actions
Copy link
 #10

Updated by OISF Ticketbot 2 months ago

  • Subtask #7215 added
Actions
Copy link
 #11

Updated by OISF Ticketbot 2 months ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #12

Updated by Philippe Antoine about 2 months ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
  • Disclosure Date set to 09/04/2024
Actions
Copy link
 #13

Updated by Victor Julien about 2 months ago

  • Assignee changed from Victor Julien to Philippe Antoine
Actions
Copy link
 #14

Updated by Victor Julien about 1 month ago

  • Severity changed from MODERATE to HIGH

HIGH as it could potentially lead to loss of visibility, and thus policy bypass.

Actions
Copy link
 #15

Updated by Victor Julien about 1 month ago

  • Subject changed from defrag: DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX); to defrag: off by one leads to possible evasion
Actions
Copy link
 #18

Updated by Victor Julien 2 days ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF