Multiple vulnerabilities in Suricata
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2019-15699 CVE-2019-16410 CVE-2019-16411 CVE-2019-10055 CVE-2019-10056 CVE-2019-10051 |
| CWE-ID | CWE-125 CWE-20 CWE-119 CWE-754 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Suricata Server applications / IDS/IPS systems, Firewalls and proxy servers |
| Vendor | Open Information Security Foundation |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU35478
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-15699
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon receiving a corrupted SSLv3 (TLS 1.2) packet, the parser function TLSDecodeHSHelloExtensions tries to access a memory region that is not allocated, because the expected length of HSHelloExtensions does not match the real length of the HSHelloExtensions part of the packet.
MitigationInstall update from vendor's website.
Vulnerable software versionsSuricata: 4.1.4
External linkshttp://lists.openinfosecfoundation.org/pipermail/oisf-announce/
http://suricata-ids.org/2019/09/24/suricata-4-1-5-released/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU35479
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16410
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.
MitigationInstall update from vendor's website.
Vulnerable software versionsSuricata: 4.1.4
External linkshttp://lists.openinfosecfoundation.org/pipermail/oisf-announce/
http://suricata-ids.org/2019/09/24/suricata-4-1-5-released/
http://www.code-intelligence.com/cve-2019-16410
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU35480
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16411
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 packets that have invalid IPv4Options, the function IPV4OptValidateTimestamp in decode-ipv4.c tries to access a memory region that is not allocated. There is a check for o->len < 5 (corresponding to 2 bytes of header and 3 bytes of data). Then, "flag = *(o->data + 3)" places one beyond the 3 bytes, because the code should have been "flag = *(o->data + 1)" instead.
MitigationInstall update from vendor's website.
Vulnerable software versionsSuricata: 4.1.4
External linkshttp://lists.openinfosecfoundation.org/pipermail/oisf-announce/
http://suricata-ids.org/2019/09/24/suricata-4-1-5-released/
http://www.code-intelligence.com/cve-2019-16411
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU35586
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10055
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.
MitigationInstall update from vendor's website.
Vulnerable software versionsSuricata: 4.1.4
External linkshttp://redmine.openinfosecfoundation.org/issues/2949
http://suricata-ids.org/2019/04/30/suricata-4-1-4-released/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU35587
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10056
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and doesn't determine the current length. Specifically, if the packet is exactly 28 long, in the first iteration it subtracts 14 bytes. Then, it is working with a packet length of 14. At this point, the case distinction says it is a valid packet. After that it casts the packet, but this packet has no type, and the program crashes at the type case distinction.
MitigationInstall update from vendor's website.
Vulnerable software versionsSuricata: 4.1.3 - 4.1.4
External linkshttp://redmine.openinfosecfoundation.org/issues/2946
http://suricata-ids.org/2019/04/30/suricata-4-1-4-released/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Check for Unusual or Exceptional Conditions
EUVDB-ID: #VU35588
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10051
CWE-ID:
CWE-754 - Improper Check for Unusual or Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.
MitigationInstall update from vendor's website.
Vulnerable software versionsSuricata: 4.1.3 - 4.1.4
External linkshttp://github.com/OISF/suricata/pull/3734
http://redmine.openinfosecfoundation.org/issues/2896
http://suricata-ids.org/2019/04/30/suricata-4-1-4-released/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
