Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.3
CVSSv3

CVE-2018-6794

Published: 07/02/2018 Updated: 01/03/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 505
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Suricata-ids

Vulnerability Summary

Suricata prior to 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream content; signatures for TCP packets will inspect such network traffic as usual.

Vulnerable Product Search on Vulmon Subscribe to Product

suricata-ids suricata

debian debian linux 8.0

Vendor Advisories

Debian CVElist Bug Report Logs: suricata: CVE-2018-6794: do not parse HTTP responses if tcp data was sent before 3-way-handshake completed
Debian Bug report logs - #889842 suricata: CVE-2018-6794: do not parse HTTP responses if tcp data was sent before 3-way-handshake completed Package: src:suricata; Maintainer for src:suricata is Pierre Chifflier <pollux@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 7 Feb 2018 18:30:05 U ...

Exploits

Exploit DB: Suricata < 4.0.4 - IDS Detection Bypass
----------------------------------------------------- Vulnerability Type: Detection Bypass Affected Product: Suricata Vulnerable version: &lt;404 CVE number: CVE-2018-6794 Found: 25012018 By: Kirill Shipulin (@kirill_wow), Positive Technologies Severity: Medium ------------------------------------------ About Suricata: --------------- Suricata ...

Github Repositories

https://github.com/kirillwow/ids_bypass

IDS Bypass tricks

Disclaimer These programs is for Educational purpose ONLY Do not use it without permission inject_server: Proof-Of-Concept for CVE-2018-6794 If as a server side you break a normal TCP 3 way handshake packets order and inject some response data before 3whs is complete then data still will be received by the client but some IDS engines may skip content checks on that Client

References

CWE-693https://redmine.openinfosecfoundation.org/issues/2427https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1https://www.exploit-db.com/exploits/44247/https://suricata-ids.org/2018/02/14/suricata-4-0-4-available/https://lists.debian.org/debian-lts-announce/2018/12/msg00000.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889842https://nvd.nist.govhttps://github.com/kirillwow/ids_bypasshttps://www.exploit-db.com/exploits/44247/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-29895injectCVE-2023-52689CVE-2024-5049CVE-2024-5051privilege escalationphysicalCVE-2023-52676
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook