Chang Zedd

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 6.0.4 **Description** An issue in Suricata allows bypassing or evading any HTTP-based signature by faking an RST TCP packet with random TCP options of the `md5header` from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP `md5header` option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action. The vulnerability is related to insufficient checking of the hash function when processing MD5 and AO RST packets, which can allow a remote attacker to implement a TCP Reset attack. **Recommendations** For Suricata versions prior to 6.0.4, update to version 6.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the handling of RST TCP packets with random TCP options of the `md5header` to minimize the risk of exploitation.