Actual code will completely discard TCP analysis of a packet that
don't have the ACK bit set but have a ACK value set. This will be
for example the case of all SYN packets that have a ACK value.
Problem is that these type of packets are legit for the operating
systems and for the RFC. The consequence is that an attacker
sending a SYN packet with a non null ACK value will open succesfully
a TCP session to its target and this session will have no protocol
discovery, no TCP streaming and no application layer analysis.
Result is a quasi full evasion of the TCP stream that will only
appear in the flow log if this log is enable or alert on tcp-pkt
signature that are uncommon.
The patch is updating the code to only discard packets that do not
have the SYN flag set. This prevents the evasion and complies with the
RFC that states that the ACK bit should always be set once the
TCP session is established.
This addresses CVE-2021-35063.
Fixes: fa692df37 ("stream: reject broken ACK packets")
Bug: #4513.
/* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */
if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) {
StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK);
- goto error;
+ if (!(p->tcph->th_flags & TH_SYN))
+ goto error;
}
/* If we are on IPS mode, and got a drop action triggered from
projects / thirdparty / suricata.git / commitdiff
