CVE-2019-18792

Name of the Vulnerable Software and Affected Versions Suricata version 5.0.0

Description An issue was discovered in Suricata that allows an attacker to bypass or evade any TCP-based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet, which contains the data to be bypassed. Suricata ignores the PUSH ACK packet because it overlaps the FIN packet, which has identical sequence and ACK numbers. The client ignores the fake FIN packet because the ACK flag is not set. Both Linux and Windows clients ignore the injected packet.

Recommendations For Suricata version 5.0.0, consider disabling the TCP signature detection until a patch is available, as a temporary workaround to minimize the risk of exploitation. Restrict access to the Suricata system to prevent remote attackers from injecting fake FIN packets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.