Login Sign Up

CVE-2021-45098

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to bypass HTTP-based intrusion detection signatures in Suricata by sending a crafted RST TCP packet with random TCP options. Affected systems are those running vulnerable Suricata versions that inspect HTTP traffic, potentially allowing malicious traffic to go undetected.

💻 Affected Systems

Products:
  • Suricata IDS/IPS
Versions: All versions before 6.0.4 and 5.0.8
Operating Systems: All platforms running Suricata
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments inspecting HTTP traffic. Suricata must be configured to use reject actions or HTTP-based signatures.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deliver malware, exfiltrate data, or conduct other malicious HTTP activities without triggering Suricata alerts or blocking actions.

🟠

Likely Case

Evasion of specific HTTP-based detection rules, allowing targeted attacks to bypass network security monitoring.

🟢

If Mitigated

With proper patching, Suricata correctly handles RST packets with TCP options, maintaining full HTTP inspection capability.

🌐 Internet-Facing: HIGH - Suricata is commonly deployed at network perimeters to inspect inbound/outbound HTTP traffic.
🏢 Internal Only: MEDIUM - Internal Suricata deployments monitoring east-west traffic could also be bypassed.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network access to send crafted TCP packets. The technique is documented in the vulnerability disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.4 and 5.0.8

Vendor Advisory: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942

Restart Required: Yes

Instructions:

1. Backup current Suricata configuration. 2. Update Suricata using package manager: 'sudo apt update && sudo apt upgrade suricata' (Debian/Ubuntu) or 'sudo yum update suricata' (RHEL/CentOS). 3. Restart Suricata service: 'sudo systemctl restart suricata'. 4. Verify version with 'suricata -V'.

🔧 Temporary Workarounds

Disable TCP MD5 Header Processing

all

Configure Suricata to ignore TCP MD5 header options which are rarely used in practice

Add 'tcp.md5: ignore' to suricata.yaml under decoder section

Use Alternative Detection Methods

all

Supplement HTTP signatures with application-layer or behavioral detection rules

🧯 If You Can't Patch

  • Implement network segmentation to limit exposure of vulnerable Suricata instances
  • Deploy additional security controls like WAF or proxy servers to inspect HTTP traffic

🔍 How to Verify

Check if Vulnerable:

Check Suricata version: 'suricata -V'. If version is below 6.0.4 (for 6.x branch) or below 5.0.8 (for 5.x branch), system is vulnerable.

Check Version:

suricata -V | head -1

Verify Fix Applied:

After update, confirm version is 6.0.4+ or 5.0.8+ with 'suricata -V'. Test with known HTTP attack patterns to ensure detection works.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected RST packets with TCP options in flow logs
  • HTTP traffic that should trigger signatures but doesn't

Network Indicators:

  • RST ACK packets with TCP options preceding HTTP requests
  • HTTP GET requests to known malicious URLs without Suricata alerts

SIEM Query:

source="suricata" (event_type="alert" AND NOT alert.signature=*) | stats count by src_ip, dest_ip, http.hostname

📊 Metadata

CVE ID: CVE-2021-45098
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: December 16, 2021
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON