CVE-2023-35852 – This vulnerability allows an attacker who contr... (How to Fix)

Q: What is the severity of CVE-2023-35852?

CVE-2023-35852 has a CVSS score of 7.5 (HIGH). This vulnerability allows an attacker who controls external Suricata rules to perform directory traversal attacks, potentially writing arbitrary files to the local filesystem. It affects Suricata installations using external rule sources where an adversary can manipulate dataset filenames. The issue is mitigated by requiring explicit configuration flags for absolute filenames and write operations.

📋 TL;DR

This vulnerability allows an attacker who controls external Suricata rules to perform directory traversal attacks, potentially writing arbitrary files to the local filesystem. It affects Suricata installations using external rule sources where an adversary can manipulate dataset filenames. The issue is mitigated by requiring explicit configuration flags for absolute filenames and write operations.

💻 Affected Systems

Products:

Suricata

Versions: All versions before 6.0.13

Operating Systems: All platforms running Suricata

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using external rule sources with dataset functionality and without proper configuration restrictions

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file write leading to remote code execution, system compromise, or data exfiltration

🟠

Likely Case

Unauthorized file writes to sensitive directories, potentially disrupting Suricata operation or creating backdoors

🟢

If Mitigated

No impact if proper configuration restrictions are in place

🌐 Internet-Facing: MEDIUM - Requires attacker to control external rule source, which may be internet-facing

🏢 Internal Only: LOW - Typically requires internal rule source compromise

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires control over external rule source and specific configuration conditions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.13

Vendor Advisory: https://github.com/OISF/suricata/commit/735f5aa9ca3b28cfacc7a443f93a44387fbacf17

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Suricata to version 6.0.13 or later. 3. Review and update datasets configuration if using absolute filenames or write operations. 4. Restart Suricata service.

🔧 Temporary Workarounds

Restrict dataset configuration

all

Disable allow-absolute-filenames and allow-write in datasets configuration

Edit suricata.yaml: set datasets.allow-absolute-filenames: false and datasets.allow-write: false

Restrict external rule sources

all

Only use trusted, controlled rule sources

Review rule-files configuration in suricata.yaml and remove untrusted sources

🧯 If You Can't Patch

Implement strict access controls on external rule sources
Monitor for unauthorized file writes in Suricata working directories

🔍 How to Verify

Check if Vulnerable:

Check Suricata version and configuration: suricata --build-info | grep version and review suricata.yaml for datasets configuration

Check Version:

suricata --build-info | grep version

Verify Fix Applied:

Confirm version is 6.0.13 or later and verify datasets.allow-absolute-filenames and datasets.allow-write are properly configured

📡 Detection & Monitoring

Log Indicators:

Unexpected file write operations in Suricata logs
Dataset-related errors or warnings

Network Indicators:

Unusual traffic to/from rule update sources

SIEM Query:

suricata AND (dataset OR "absolute filename" OR directory traversal)

📊 Metadata

CVE ID: CVE-2023-35852

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-22

Published: June 19, 2023

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35852, you might also want to check these: