CVE-2021-45098 in Suricata
Summary
by MITRE • 12/16/2021
An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/04/2025
The vulnerability described in CVE-2021-45098 represents a significant bypass mechanism within the Suricata network intrusion detection system that operates at the transport layer protocol level. This flaw exists in Suricata versions prior to 6.0.4 and specifically targets the HTTP-based signature matching functionality, allowing malicious actors to evade detection mechanisms that would normally block suspicious network traffic. The vulnerability exploits a fundamental aspect of TCP connection management and how Suricata processes TCP state information during network communication. The issue stems from the system's inability to properly validate TCP connection states when RST packets containing MD5 header options are injected into the network flow, creating a window where signature matching can be circumvented.
The technical implementation of this vulnerability involves a sophisticated multi-step attack pattern that leverages the TCP three-way handshake mechanism and subsequent connection state management. An attacker can establish a legitimate TCP connection with a target server through normal means, then inject a carefully crafted RST packet with random TCP options including an MD5 header from the client side. This packet must be sent with the correct sequence numbers and acknowledgment numbers to appear legitimate to the network stack. The injected RST packet contains a random TCP md5header option that causes Suricata to incorrectly process the connection state, effectively resetting the connection tracking mechanism. Following this injection, the attacker can proceed to send an HTTP GET request with a forbidden URL, which the server will process and respond to normally, while Suricata fails to trigger its expected reject actions due to the corrupted connection state information.
The operational impact of this vulnerability extends beyond simple signature bypass to potentially enable more sophisticated attack scenarios that could compromise network security monitoring capabilities. When Suricata fails to properly detect and block malicious HTTP requests, it creates a false sense of security for network administrators who rely on the system for intrusion detection and prevention. The vulnerability can be particularly dangerous in environments where HTTP-based signatures are used to detect known malicious patterns such as command and control communications, exploit attempts, or data exfiltration activities. This bypass mechanism essentially allows attackers to send HTTP requests that would normally be flagged and blocked by Suricata's signature matching engine, potentially enabling persistent threats to remain undetected while communicating through network traffic that should have been filtered out. The attack can be executed without requiring deep packet inspection or complex protocol manipulation, making it relatively accessible to threat actors with basic networking knowledge.
This vulnerability aligns with several cybersecurity frameworks and threat modeling concepts, particularly those related to TCP/IP protocol exploitation and stateful inspection bypasses. The issue can be categorized under CWE-119 as a buffer overflow or memory corruption vulnerability in the TCP state handling mechanism, while also demonstrating characteristics of CWE-295 related to improper certificate validation in network protocols. From an ATT&CK framework perspective, this vulnerability maps to T1071.004 for application layer protocol usage and T1566 for credential access through network protocols. The attack pattern demonstrates how protocol-level weaknesses can be exploited to undermine security controls that operate at higher layers of the network stack, creating a pathway for attackers to evade defenses that should have prevented malicious traffic from reaching target systems. Organizations relying on Suricata for network security monitoring would be particularly vulnerable to attacks that leverage this bypass mechanism, as it directly undermines the core functionality of the intrusion detection system.
The mitigation strategy for this vulnerability requires immediate patching of Suricata installations to version 6.0.4 or later, where the TCP state handling and RST packet processing has been corrected. Network administrators should also implement additional monitoring for unusual TCP RST packet patterns and MD5 header options in their network traffic to detect potential exploitation attempts. The patch addresses the core issue by improving TCP connection state validation and ensuring that RST packets with MD5 header options are properly handled without corrupting the connection tracking state. Organizations should also consider implementing additional network-level controls such as TCP sequence number validation, connection tracking integrity checks, and more robust HTTP signature matching that operates independently of TCP state information. Regular security assessments of network monitoring systems should include verification of proper TCP state handling and signature matching behavior to prevent similar vulnerabilities from being exploited in other components of the security infrastructure.