Login Sign Up

CVE-2019-18792

9.1 CRITICAL

📋 TL;DR

This vulnerability allows attackers to bypass TCP-based intrusion detection signatures in Suricata by injecting fake FIN packets that overlap legitimate TCP segments. Systems running vulnerable versions of Suricata for network monitoring are affected, potentially allowing malicious traffic to evade detection.

💻 Affected Systems

Products:
  • Suricata
Versions: 5.0.0
Operating Systems: Linux, Windows, All platforms running Suricata
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects TCP-based signatures. UDP and other protocol signatures are not affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Suricata by Oisf

View all CVEs affecting Suricata →

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers completely bypass network intrusion detection, allowing malware delivery, data exfiltration, or command and control traffic to go undetected.

🟠

Likely Case

Targeted evasion of specific detection rules, enabling limited malicious activity to bypass security monitoring.

🟢

If Mitigated

With proper patching and monitoring, the vulnerability has minimal impact as detection capabilities remain intact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network access and ability to craft TCP packets with specific timing and sequence numbers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.1 and later

Vendor Advisory: https://redmine.openinfosecfoundation.org/issues/3324

Restart Required: Yes

Instructions:

1. Update Suricata to version 5.0.1 or later. 2. Download from official Suricata repositories. 3. Install the updated package. 4. Restart Suricata service.

🔧 Temporary Workarounds

Enable stream.reassembly.depth

all

Increase TCP stream reassembly depth to make overlapping packet evasion more difficult

stream.reassembly.depth: 10mb

🧯 If You Can't Patch

  • Deploy additional network monitoring layers (secondary IDS/IPS)
  • Implement strict network segmentation to limit attack surface

🔍 How to Verify

Check if Vulnerable:

Check Suricata version with 'suricata --build-info' or 'suricata -V'

Check Version:

suricata -V

Verify Fix Applied:

Verify version is 5.0.1 or later and check for commit 1c63d3905852f746ccde7e2585600b2199cefb4b in build

📡 Detection & Monitoring

Log Indicators:

  • Unusual TCP FIN packet patterns
  • Signature bypass alerts
  • Stream reassembly errors

Network Indicators:

  • TCP packets with overlapping sequence numbers
  • FIN packets without ACK flag set

SIEM Query:

source="suricata" AND (event_type="alert" AND alert.signature="*bypass*" OR stream.reassembly.error="*")

📊 Metadata

CVE ID: CVE-2019-18792
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-436
Published: January 6, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18792, you might also want to check these:

CVE-2023-24813 10.0

CVE-2023-24813 is a critical vulnerability in Dompdf's SVG parsing that allows attackers to bypass U...

Same vulnerability type (CWE-436)
CVE-2019-19589 9.8

The Lever PDF Embedder plugin 4.4 for WordPress fails to block polyglot PDF/JAR files, potentially a...

Same vulnerability type (CWE-436)
CVE-2021-45327 9.8

CVE-2021-45327 is a server-side request forgery (SSRF) vulnerability in Gitea's admin and user API e...

Same vulnerability type (CWE-436)