An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
{ "vanir_signatures": [ { "signature_version": "v1", "target": { "function": "DecodeTCPOptions", "file": "src/decode-tcp.c" }, "signature_type": "Function", "source": "https://github.com/oisf/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df", "deprecated": false, "digest": { "length": 3056.0, "function_hash": "32798937301964368305689530638561933616" }, "id": "CVE-2021-45098-7bd00631" }, { "signature_version": "v1", "target": { "file": "src/stream-tcp.c" }, "signature_type": "Line", "source": "https://github.com/oisf/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df", "deprecated": false, "digest": { "line_hashes": [ "298668671455610702915103447051742258437", "256631810295012211850575970957164370311", "123383077366789806747570069411808274271", "274369461503223323845070479388222163445", "81252066565862047776416149689762193267", "194126627155482699807327090414817736513", "279325392824502007740694175045747413119", "108132844981397602831514210151998199529", "61372347601594444231145274006763826344", "25892010124558066242332141158214465535" ], "threshold": 0.9 }, "id": "CVE-2021-45098-9ab0b7c9" }, { "signature_version": "v1", "target": { "file": "src/decode-tcp.c" }, "signature_type": "Line", "source": "https://github.com/oisf/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df", "deprecated": false, "digest": { "line_hashes": [ "170552253051911852146487529132580135837", "163062811452642697869803281768232611934", "285868154989856370439780572676159995884", "220648413416416060419813201480483870163" ], "threshold": 0.9 }, "id": "CVE-2021-45098-ca76ba9c" }, { "signature_version": "v1", "target": { "file": "src/decode-tcp.h" }, "signature_type": "Line", "source": "https://github.com/oisf/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df", "deprecated": false, "digest": { "line_hashes": [ "132295267061987848369583130253603522180", "241660162830298340947169635807810546259", "271631569540684670286125895492242638263", "308873693325180287847751687015928839693", "6429480766519447554244969506203846599" ], "threshold": 0.9 }, "id": "CVE-2021-45098-d0e22e0d" }, { "signature_version": "v1", "target": { "function": "StreamTcpPacketStateClosed", "file": "src/stream-tcp.c" }, "signature_type": "Function", "source": "https://github.com/oisf/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df", "deprecated": false, "digest": { "length": 831.0, "function_hash": "208081842680579566268159183757970571539" }, "id": "CVE-2021-45098-d2306e1a" }, { "signature_version": "v1", "target": { "function": "StreamTcpValidateRst", "file": "src/stream-tcp.c" }, "signature_type": "Function", "source": "https://github.com/oisf/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df", "deprecated": false, "digest": { "length": 4279.0, "function_hash": "54448183064142838596041141727351530953" }, "id": "CVE-2021-45098-d767947c" } ] }