CVE-2019-18792
Publication date 6 January 2020
Last updated 26 August 2025
Ubuntu priority
Description
An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| suricata | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Ignored end of standard support, was needs-triage | |
| 16.04 LTS xenial | Ignored end of standard support, was needs-triage | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.1 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
References
Other references
- https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b (master-4.1.x)
- https://github.com/OISF/suricata/commit/fa692df37a796c3330c81988d15ef1a219afc006 (suricata-5.0.1)
- https://redmine.openinfosecfoundation.org/issues/3324
- https://redmine.openinfosecfoundation.org/issues/3394
- https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b
- https://github.com/OISF/suricata/commit/fa692df37a796c3330c81988d15ef1a219afc006
- https://www.cve.org/CVERecord?id=CVE-2019-18792