From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann E. MORIN Date: Sun, 1 Mar 2020 08:42:32 +0100 Subject: [Buildroot] [PATCH v2, 1/1] package/suricata: fix CVE-2019-18792 In-Reply-To: <20200229224643.4064368-1-fontaine.fabrice@gmail.com> References: <20200229224643.4064368-1-fontaine.fabrice@gmail.com> Message-ID: <20200301074232.GB8743@scaer> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Fabrice, All, On 2020-02-29 23:46 +0100, Fabrice Fontaine spake thusly: > An issue was discovered in Suricata 5.0.0. It is possible to > bypass/evade any tcp based signature by overlapping a TCP segment with a > fake FIN packet. The fake FIN packet is injected just before the PUSH > ACK packet we want to bypass. The PUSH ACK packet (containing the data) > will be ignored by Suricata because it overlaps the FIN packet (the > sequence and ack number are identical in the two packets). The client > will ignore the fake FIN packet because the ACK flag is not set. Both > linux and windows clients are ignoring the injected packet. > > Signed-off-by: Fabrice Fontaine Applied to master, thanks. Regards, Yann E. MORIN. > --- > Changes v1 -> v2: > - Fix trailing whitespace > > ...004-stream-reject-broken-ACK-packets.patch | 40 +++++++++++++++++++ > package/suricata/suricata.mk | 3 ++ > 2 files changed, 43 insertions(+) > create mode 100644 package/suricata/0004-stream-reject-broken-ACK-packets.patch > > diff --git a/package/suricata/0004-stream-reject-broken-ACK-packets.patch b/package/suricata/0004-stream-reject-broken-ACK-packets.patch > new file mode 100644 > index 0000000000..9670d73158 > --- /dev/null > +++ b/package/suricata/0004-stream-reject-broken-ACK-packets.patch > @@ -0,0 +1,40 @@ > +From 1c63d3905852f746ccde7e2585600b2199cefb4b Mon Sep 17 00:00:00 2001 > +From: Victor Julien > +Date: Thu, 21 Nov 2019 16:10:21 +0100 > +Subject: [PATCH] stream: reject broken ACK packets > + > +Fix evasion posibility by rejecting packets with a broken ACK field. > +These packets have a non-0 ACK field, but do not have a ACK flag set. > + > +Bug #3324. > + > +Reported-by: Nicolas Adba > +(cherry picked from commit fa692df37a796c3330c81988d15ef1a219afc006) > +[Retrieved from: > +https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b] > +Signed-off-by: Fabrice Fontaine > +--- > + src/stream-tcp.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/src/stream-tcp.c b/src/stream-tcp.c > +index 35e489acba..8653d670c6 100644 > +--- a/src/stream-tcp.c > ++++ b/src/stream-tcp.c > +@@ -4759,6 +4759,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt, > + /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */ > + if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) { > + StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK); > ++ goto error; > + } > + > + /* If we are on IPS mode, and got a drop action triggered from > +@@ -6883,7 +6884,7 @@ static int StreamTcpTest10 (void) > + > + tcph.th_win = htons(5480); > + tcph.th_seq = htonl(10); > +- tcph.th_ack = htonl(11); > ++ tcph.th_ack = 0; > + tcph.th_flags = TH_SYN; > + p->tcph = &tcph; > + > diff --git a/package/suricata/suricata.mk b/package/suricata/suricata.mk > index b1f0e18dbc..48a6205eed 100644 > --- a/package/suricata/suricata.mk > +++ b/package/suricata/suricata.mk > @@ -11,6 +11,9 @@ SURICATA_LICENSE_FILES = COPYING LICENSE > # We're patching configure.ac > SURICATA_AUTORECONF = YES > > +# 0004-stream-reject-broken-ACK-packets.patch > +SURICATA_IGNORE_CVES += CVE-2019-18792 > + > SURICATA_DEPENDENCIES = \ > host-pkgconf \ > $(if $(BR2_PACKAGE_JANSSON),jansson) \ > -- > 2.25.0 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'