suricata: CVE-2018-6794: do not parse HTTP responses if tcp data was sent before 3-way-handshake completed

Debian Bug report logs - #889842
suricata: CVE-2018-6794: do not parse HTTP responses if tcp data was sent before 3-way-handshake completed

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: suricata: CVE-2018-6794: do not parse HTTP responses if tcp data was sent before 3-way-handshake completed

Date: Wed, 07 Feb 2018 19:27:27 +0100

Source: suricata
Version: 1:4.0.3-1
Severity: important
Tags: patch security upstream
Forwarded: https://redmine.openinfosecfoundation.org/issues/2427

Hi,

the following vulnerability was published for suricata.

CVE-2018-6794[0]:
| Suricata before 4.1 is prone to an HTTP detection bypass vulnerability
| in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP
| flow and sends data before the 3-way handshake is complete, then the
| data sent by the malicious server will be accepted by web clients such
| as a web browser or Linux CLI utilities, but ignored by Suricata IDS
| signatures. This mostly affects IDS signatures for the HTTP protocol
| and TCP stream content; signatures for TCP packets will inspect such
| network traffic as usual.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6794
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6794
[1] https://redmine.openinfosecfoundation.org/issues/2427
[2] https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 889842-close@bugs.debian.org (full text, mbox, reply):

From: Arturo Borrero Gonzalez <arturo@debian.org>

To: 889842-close@bugs.debian.org

Subject: Bug#889842: fixed in suricata 1:4.0.4-1

Date: Wed, 14 Feb 2018 11:05:24 +0000

Source: suricata
Source-Version: 1:4.0.4-1

We believe that the bug you reported is fixed in the latest version of
suricata, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arturo Borrero Gonzalez <arturo@debian.org> (supplier of updated suricata package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 Feb 2018 11:33:33 +0100
Source: suricata
Binary: suricata suricata-oinkmaster
Architecture: source
Version: 1:4.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Arturo Borrero Gonzalez <arturo@debian.org>
Description:
 suricata   - Next Generation Intrusion Detection and Prevention Tool
 suricata-oinkmaster - Integration package between suricata and oinkmaster
Closes: 889842
Changes:
 suricata (1:4.0.4-1) unstable; urgency=medium
 .
   * [3f18cd8] d/control: refresh git URLs
   * [17da106] New upstream version 4.0.4 (Closes: #889842) fixes CVE-2018-6794
   * [00fcf17] d/compat: bump debhelper compat level to 11
   * [45dc0db] d/control: bump std-version to 4.1.3
Checksums-Sha1:
 0514028e560bc299c2b2589ea7735b321757d962 2518 suricata_4.0.4-1.dsc
 7d31405d31515c5e5295c922d3015104fbb122cc 11680269 suricata_4.0.4.orig.tar.gz
 7651c81ef0c7d3c9958a2bcdb9a08dba879292a8 21324 suricata_4.0.4-1.debian.tar.xz
 6624bd5227c192221e948003a1919b76e4632afd 8830 suricata_4.0.4-1_amd64.buildinfo
Checksums-Sha256:
 9d40814d09b895ec89f7930990233e90dd94a1f558e1e7a30e8195c3241b241e 2518 suricata_4.0.4-1.dsc
 c089ef65eba6732083e4add77d8969f0381350026e5cee2b88bda9366a28e298 11680269 suricata_4.0.4.orig.tar.gz
 4850f97fe4f52050a13af6fc1400948466fd3ed499e7034f5c857ad57136700d 21324 suricata_4.0.4-1.debian.tar.xz
 31ae3e742013418fba65f390d33afd3c7bdafc0635e4cfe38553a307c5e63279 8830 suricata_4.0.4-1_amd64.buildinfo
Files:
 ced88a06a53c5d7d64a477fd37cfb2cf 2518 net optional suricata_4.0.4-1.dsc
 b6fc20992dc89b4902bdea1b4334b2eb 11680269 net optional suricata_4.0.4.orig.tar.gz
 21aa4a719c4b6170ae6d38826799fca9 21324 net optional suricata_4.0.4-1.debian.tar.xz
 74bfcae34038883183712b516dcc2efc 8830 net optional suricata_4.0.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAlqEEi8SHGFydHVyb0Bk
ZWJpYW4ub3JnAAoJEGjnE5gdFRX4A4EP/0ES3BGsHNlFxjQyYE1v+0LUWGXICzVW
/0aXfRybjXfvUbbMQZNC0DJ7oUfWat34xlpFhXwFeBjG8f+n92vYp84OXFUoNuZF
P0XXlPqweMKuel7mNwabPg2W9aJX/spTiN5v/VtR+kfJGe8RolAr1iyU+KKEYlCn
ina3uj5ZQE33PwUtgGk+pptjVURqgttISTlrW99OC39x+JxRWdtmjH0QFYoVIUCC
2j/sB+aVZFMgRMSa5K0H+yGFy1Aj2oI4/eBh4NrOJ6Y1p7AckVNBMM8fxEiduL2q
FmnySv7z6iZO4b6kmtrNTFTsCw/PYaNkUxCFWhbAhcfsVaVmVlROjMyPYZ64OwFw
DqhCVkVeajLm8D/NuvWveVkXXLwQdBnEaUnj4kkw//wKfJKYfh0kOS7w2o1vXfSE
8oPhTunOZK6QLFqzvh4J/ph8p/Rsx94UVUHWl6NCGcvsQY7JPvQ2XR+xnBgCe4eh
LcbBz8gIenMjFRnLx8/7wHk8YYgf30EXvrqPjHUFIApluoF/fqGWEayX05n/Lt63
4CpVmjAFqAbwT4w9w4tfpctezp5/l6Zpijj/bl2f3vBIylAg5MiwoAQXGGQo9M7W
Sthbm+h68hFFGzOoAXfEGMhqbg0fScFBv3Cazb94+dNdM+OGAlBID50vkMtpuXrH
LmzWXWvdYThS
=qTlD
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.