Security #7458: af-packet: defrag option can lead to truncated packets - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Security #7458

closed

af-packet: defrag option can lead to truncated packets

Added by Jason Ish 7 months ago. Updated 2 days ago.

Status:

Closed

Priority:

Normal

Assignee:

Jason Ish

Target version:

8.0.0-beta1

Affected Versions:

7.0.8, git master

Label:

CVE:

2025-29915

Git IDs:

Severity:

HIGH

Disclosure Date:

Description

Given a default AF_PACKET IDS configuration, the default snaplen is set to 1524. However, the defrag option can reassemble fragmented packets up to the maximum packet size. Suricata will then see these packets as truncated, create an alert, but not go any further with the packets.

A quick test with --set default-packet-size=5000 helps with smaller packets, as seen with Wireguard, but can only be increased to just over 32000 before other parameters need to be adjusted.

If the defrag option is used, should we set up AF_PACKET to handle full-size packets by default?

Subtasks 1 (0 open — 1 closed)

Security #7459: af-packet: defrag option can lead to truncated packets (7.0.x backport)

Closed

Jason Ish

Actions

Related issues 1 (0 open — 1 closed)

Related to Suricata - Optimization #4798: af-packet: default to tpacket-v3 in IDS mode

Closed

Jason Ish

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by OISF Ticketbot 7 months ago

Subtask #7459 added

Actions

Copy link

Updated by OISF Ticketbot 7 months ago

Label deleted (~~Needs backport to 7.0~~)

Actions

Copy link

Updated by Jason Ish 7 months ago

Current work-around with code changes for IDS mode only:

# 65535 + 14
default-packet-size: 65549

af-packet
  - interface: enp10s0
    defrag: true
    # Required for custom block-size, but not recommended for IPS.
    tpacket-v3: true
    # Large enough 32 packets of default-packet-size.
    block-size: 2097152

For t-packet v2, as well as IPS mode I guess the best thing is to disable defrag. However, turning off defrag is necessary for IPS setups.

Questions:
- What is the impact of increasing this block size?
- What is the impact of increasing the default packet size?
- Can we/should we modify the code to fix this for tpacket-v2 (which is the default)?

Should we look at better defaults? If IDS, default to tpacket-v3 with large packet size? If IPS, force off defrag?

I think it would be rather trivial to stuff something like DNS requests with extra data such that Suricata IDS defaults would always see the packets as truncated. Or perform some UDP tunneling in large packets that are always fragmented and seen as truncated by Suricata, using the defaults.

Actions

Copy link

Updated by Jason Ish 7 months ago

Description updated (diff)

Actions

Copy link

Updated by Jason Ish 7 months ago

To keep with tpacket v2, I had to make this adjustment:

#define AFP_BLOCK_SIZE_DEFAULT_ORDER 5

Where the value is currently 3.

Actions

Copy link

Updated by Jason Ish 6 months ago

Assignee changed from OISF Dev to Eric Leblond

Actions

Copy link

Updated by Jason Ish 5 months ago

Related to Optimization #4798: af-packet: default to tpacket-v3 in IDS mode added

Actions

Copy link

Updated by Jason Ish 5 months ago

Status changed from New to In Progress
Assignee changed from Eric Leblond to Jason Ish

Actions

Copy link

Updated by Jason Ish 5 months ago

Status changed from In Progress to In Review

Actions

Copy link

#10

Updated by Jason Ish 4 months ago

Tracker changed from Bug to Security
Severity set to MODERATE

Actions

Copy link

#11

Updated by Jason Ish 4 months ago

Severity changed from MODERATE to HIGH

Actions

Copy link

#12

Updated by Juliana Fajardini Reichow 4 months ago

CVE set to 2025-29915

Security Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-7m5c-cqx4-x8mp

Actions

Copy link

#13

Updated by Jason Ish 4 months ago

Status changed from In Review to Resolved

While its still possible that truncated packets can be seen in 7.0.9, the alert is there, and the configuration options are there to mitigate the issue.

In summary, the following changes were made to the development branch and backported to 7.0.9:
- increase default block size from 32k to 128k. This allows a fully defragmented packet to fit.
- For tpacket-v2, increase the default snaplen from 1514 to 9k. In normal usage its probably unlikely to see 65k packets, and keeping the snaplen down decreases the memory usage. Its not uncommon to see packets a little over the MTU with VPNs and such. So this should cover those.
- Expose a tpacket-v2 block size parameter to the config so users can lower if necessary
- Add a warning to recommend tpacket-v3 if in passive IDS mode
- Add a warning to disable defrag if in IPS mode

Actions

Copy link

#14

Updated by Jason Ish 4 months ago

Status changed from Resolved to Closed

Actions

Copy link

#15

Updated by Juliana Fajardini Reichow 2 days ago

Private changed from Yes to No

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Security #7458

af-packet: defrag option can lead to truncated packets

Updated by OISF Ticketbot 7 months ago

Updated by OISF Ticketbot 7 months ago

Updated by Jason Ish 7 months ago

Updated by Jason Ish 7 months ago

Updated by Jason Ish 7 months ago

Updated by Jason Ish 6 months ago

Updated by Jason Ish 5 months ago

Updated by Jason Ish 5 months ago

Updated by Jason Ish 5 months ago

Updated by Jason Ish 4 months ago

Updated by Jason Ish 4 months ago

Updated by Juliana Fajardini Reichow 4 months ago

Updated by Jason Ish 4 months ago

Updated by Jason Ish 4 months ago

Updated by Juliana Fajardini Reichow 2 days ago