Re: CVE request: denial of service in suricata

[Victor Julien <lists () inliniac net>]

On 12/12/2014 02:10 PM, Pierre Schweitzer wrote:
> So, here to have an attack possible, it would require to send gzipped
> traffic (as expressed in the bug report) and to "hope" that zlib somehow
> fails in the process (due to low memory situation or to old zlib) with
> Z_STREAM_ERROR, so that we have cascade with a NULL pointer being
> propagated so that there's a segfault?
>
> Or am I wrong with my scenario?

No, I think this could be an attack vector indeed. Technically I think
this was an issue in libhtp and not suricata btw. Not sure if that
matters much, suri is the main user to libhtp as far as I know.

Cheers,
Victor

> On 12/12/2014 02:02 PM, Victor Julien wrote:
> > On 12/12/2014 01:56 PM, Pierre Schweitzer wrote:
> > > It appears, looking at bug #1272 [1] in Suricata, that it was
> > > possible to crash Suricata with specific packets due to a bug in
> > > the libhtp (which got fixed with libhtp 0.5.16).
> > >
> > > It got fixed with the release 2.0.5 from Suricata.
> > >
> > > Was a CVE already assigned to this issue? Otherwise can a CVE be
> > > assigned?
> > >
> > > With my best regards,
> > >
> > > [1]: https://redmine.openinfosecfoundation.org/issues/1272
> >
> > To our knowledge this couldn't be triggered by specific traffic
> > conditions. Rather it seemed to be an issue when:
> >
> > - older zlib versions were used that didn't always setup properly for
> > a reason unknown to us
> >
> > OR
> >
> > - extreme memory pressure (malloc's failing)
> >
> > Cheers,
> > Victor


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------