SB2019082827 - Multiple vulnerabilities in Suricata

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2019-15699)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon receiving a corrupted SSLv3 (TLS 1.2) packet, the parser function TLSDecodeHSHelloExtensions tries to access a memory region that is not allocated, because the expected length of HSHelloExtensions does not match the real length of the HSHelloExtensions part of the packet.

2) Out-of-bounds read (CVE-ID: CVE-2019-16410)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.

3) Out-of-bounds read (CVE-ID: CVE-2019-16411)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 packets that have invalid IPv4Options, the function IPV4OptValidateTimestamp in decode-ipv4.c tries to access a memory region that is not allocated. There is a check for o->len < 5 (corresponding to 2 bytes of header and 3 bytes of data). Then, "flag = *(o->data + 3)" places one beyond the 3 bytes, because the code should have been "flag = *(o->data + 1)" instead.

4) Input validation error (CVE-ID: CVE-2019-10055)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.

5) Buffer overflow (CVE-ID: CVE-2019-10056)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and doesn't determine the current length. Specifically, if the packet is exactly 28 long, in the first iteration it subtracts 14 bytes. Then, it is working with a packet length of 14. At this point, the case distinction says it is a valid packet. After that it casts the packet, but this packet has no type, and the program crashes at the type case distinction.

6) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2019-10051)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.

Remediation

Install update from vendor's website.

References

• https://lists.openinfosecfoundation.org/pipermail/oisf-announce/
• https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/
• https://www.code-intelligence.com/cve-2019-16410
• https://www.code-intelligence.com/cve-2019-16411
• https://redmine.openinfosecfoundation.org/issues/2949
• https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/
• https://redmine.openinfosecfoundation.org/issues/2946
• https://github.com/OISF/suricata/pull/3734
• https://redmine.openinfosecfoundation.org/issues/2896