CVE-2014-6603 suricata 2.0.3 Out-of-bounds access in SSH application parser
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine developed by the Open Information Security Foundation (OISF).
It was found out that the application parser for SSH integrated in Suricata contains a flaw that might lead to an out-of-bounds access. For this reason a Denial of Service towards the Suricata monitoring software might be possible using crafted packets on the monitoring interface.
The application parser for SSH (src/app-layer-ssh.c) contains a function SSHParseBanner. In case the parsed buffer is either
"SSH-2.0\r-MySSHClient-0.5.1\n"
or
"SSH-2.0-\rMySSHClient-0.5.1\n"
the function will behave in the wrong way and attempt either a very big memory allocation or an out of bounds array access with negative index, which also might lead to out-of-bounds write access under certain conditions. The problem is caused due to the fact that the end of the banner and start of the software version are computed independently.
Affected versions are Suricata 2.0.3 and 2.1beta1, older versions might be affected as well.
The issue will be fixed in Suricata 2.0.4 and in the next upcoming major release. See http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/ for reference.
2014-09-10: Discovered
2014-09-12: Reported to vendor by email
2014-09-12: Vendor responded, confirmed and provided preliminary fix
2014-09-17: Requested CVE
2014-09-19: CVE number received
2014-09-23: Vendor reported a fixed version released
2014-09-23: Published
The issue was found by
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de
http://www.openinfosecfoundation.org/
http://suricata-ids.org/
http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/