what you don't know can hurt you

Suricata 2.0.3 Out Of Bounds Access

Suricata 2.0.3 Out Of Bounds Access
Posted Sep 24, 2014
Authored by Steffen Bauch

It was found out that the application parser for SSH integrated in Suricata version 2.0.3 contains a flaw that might lead to an out-of-bounds access. For this reason a denial of service towards the Suricata monitoring software might be possible using crafted packets on the monitoring interface.

tags | advisory, denial of service
advisories | CVE-2014-6603
MD5 | 30aeb2a83871274a82927599cef0c73b

Suricata 2.0.3 Out Of Bounds Access

Change Mirror Download
CVE-2014-6603 suricata 2.0.3 Out-of-bounds access in SSH application parser

1. Background

Suricata is a high performance Network IDS, IPS and Network Security
Monitoring engine developed by the Open Information Security Foundation
(OISF).

2. Summary Information

It was found out that the application parser for SSH integrated in
Suricata contains a flaw that might lead to an out-of-bounds access. For
this reason a Denial of Service towards the Suricata monitoring software
might be possible using crafted packets on the monitoring interface.

3. Technical Description

The application parser for SSH (src/app-layer-ssh.c) contains a function
SSHParseBanner. In case the parsed buffer is either

"SSH-2.0\r-MySSHClient-0.5.1\n"

or

"SSH-2.0-\rMySSHClient-0.5.1\n"

the function will behave in the wrong way and attempt either a very big
memory allocation or an out of bounds array access with negative index,
which also might lead to out-of-bounds write access under certain
conditions. The problem is caused due to the fact that the end of the
banner and start of the software version are computed independently.

4. Affected versions

Affected versions are Suricata 2.0.3 and 2.1beta1, older versions might
be affected as well.

5. Fix

The issue will be fixed in Suricata 2.0.4 and in the next upcoming major
release. See
http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/ for reference.

6. Advisory Timeline

2014-09-10: Discovered
2014-09-12: Reported to vendor by email
2014-09-12: Vendor responded, confirmed and provided preliminary fix
2014-09-17: Requested CVE
2014-09-19: CVE number received
2014-09-23: Vendor reported a fixed version released
2014-09-23: Published

7. Credit

The issue was found by

Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de

8. References

http://www.openinfosecfoundation.org/
http://suricata-ids.org/
http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close