CVE-2019-18625

Name of the Vulnerable Software and Affected Versions Suricata version 5.0.0

Description A problem was discovered in Suricata where it is possible to bypass or evade any TCP-based signature by faking a closed TCP session using a malicious server. After the TCP SYN packet, it is possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client will ignore the RST ACK and FIN ACK packets due to the bad TCP Timestamp option. Both Linux and Windows clients are ignoring the injected packets.

Recommendations For Suricata version 5.0.0, as a temporary workaround, consider disabling the TCP signature checking until a patch is available. Restrict access to the Suricata system to minimize the risk of exploitation. Avoid using the TCP protocol with a bad TCP Timestamp option in the affected system until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.