From: Eric Leblond Date: Fri, 28 May 2021 09:38:18 +0000 (+0200) Subject: stream/tcp: avoid evasion linked to ACK handling X-Git-Tag: suricata-5.0.7~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f61ef79781605a5d1d75d8bf023da9552f781301;p=thirdparty%2Fsuricata.git stream/tcp: avoid evasion linked to ACK handling Actual code will completely discard TCP analysis of a packet that don't have the ACK bit set but have a ACK value set. This will be for example the case of all SYN packets that have a ACK value. Problem is that these type of packets are legit for the operating systems and for the RFC. The consequence is that an attacker sending a SYN packet with a non null ACK value will open succesfully a TCP session to its target and this session will have no protocol discovery, no TCP streaming and no application layer analysis. Result is a quasi full evasion of the TCP stream that will only appear in the flow log if this log is enable or alert on tcp-pkt signature that are uncommon. The patch is updating the code to only discard packets that do not have the SYN flag set. This prevents the evasion and complies with the RFC that states that the ACK bit should always be set once the TCP session is established. This addresses CVE-2021-35063. Fixes: fa692df37 ("stream: reject broken ACK packets") Bug: #4513. --- diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 2884c919b4..af1c67d444 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -4835,7 +4835,8 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt, /* broken TCP http://ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set */ if (!(p->tcph->th_flags & TH_ACK) && TCP_GET_ACK(p) != 0) { StreamTcpSetEvent(p, STREAM_PKT_BROKEN_ACK); - goto error; + if (!(p->tcph->th_flags & TH_SYN)) + goto error; } /* If we are on IPS mode, and got a drop action triggered from