CVE-2019-18792
First published: Mon Jan 06 2020(Updated: )
An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Suricata-ids Suricata | >=4.1.5<4.1.6 | |
| Suricata-ids Suricata | =5.0.0 | |
| Debian Debian Linux | =8.0 | |
| Oisf Suricata | >=4.1.5<4.1.6 | |
| Oisf Suricata | =5.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b
- https://github.com/OISF/suricata/commit/fa692df37a796c3330c81988d15ef1a219afc006
- https://lists.debian.org/debian-lts-announce/2020/01/msg00032.html
- https://redmine.openinfosecfoundation.org/issues/3324
- https://redmine.openinfosecfoundation.org/issues/3394
Frequently Asked Questions
What is CVE-2019-18792?
CVE-2019-18792 is a vulnerability in Suricata 5.0.0 that allows attackers to bypass tcp based signature by overlapping a TCP segment with a fake FIN packet.
What is the severity of CVE-2019-18792?
The severity of CVE-2019-18792 is critical with a CVSS score of 9.1.
Which software versions are affected by CVE-2019-18792?
Suricata versions 4.1.5 through 4.1.6 and version 5.0.0 are affected by CVE-2019-18792. Debian Linux version 8.0 is also affected.
How can an attacker exploit CVE-2019-18792?
An attacker can exploit CVE-2019-18792 by injecting a fake FIN packet before a PUSH ACK packet to bypass tcp based signature in Suricata.
Is there a fix available for CVE-2019-18792?
Yes, the vulnerability has been fixed in the following commits: 1c63d3905852f746ccde7e2585600b2199cefb4b and fa692df37a796c3330c81988d15ef1a219afc006. Debian has also released a security advisory.
- collector/nvd-index
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/tags
- agent/event
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/suricata-ids
- canonical/suricata-ids suricata
- version/suricata-ids suricata/4.1.5
- version/suricata-ids suricata/5.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/oisf
- canonical/oisf suricata
- version/oisf suricata/4.1.5
- version/oisf suricata/5.0.0