CVE-2021-45098

Name of the Vulnerable Software and Affected Versions Suricata versions prior to 6.0.4

Description An issue in Suricata allows bypassing or evading any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action. The vulnerability is related to insufficient checking of the hash function when processing MD5 and AO RST packets, which can allow a remote attacker to implement a TCP Reset attack.

Recommendations For Suricata versions prior to 6.0.4, update to version 6.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the handling of RST TCP packets with random TCP options of the md5header to minimize the risk of exploitation.