CVE-2023-35852 in Suricata
Summary
by MITRE • 06/19/2023
In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/11/2026
The vulnerability identified as CVE-2023-35852 affects Suricata versions prior to 6.0.13, presenting a critical directory traversal issue that can be exploited by adversaries controlling external rule sources. This flaw specifically manifests when dataset filenames originating from rules are processed without proper validation, potentially enabling attackers to manipulate file paths and gain unauthorized write access to the local filesystem. The vulnerability arises from insufficient input sanitization and path validation mechanisms within the dataset handling component of Suricata's rule processing pipeline.
The technical implementation of this vulnerability stems from the lack of proper path validation when processing dataset filenames from external rule sources. When Suricata processes rules containing dataset references, it fails to adequately sanitize the filename parameters, allowing malicious actors to inject directory traversal sequences such as ../ or ..\ that can navigate outside the intended directory boundaries. This weakness creates a path traversal condition that can be exploited to write files to arbitrary locations on the filesystem, potentially leading to privilege escalation, data corruption, or system compromise. The vulnerability is classified under CWE-22 as a directory traversal attack, specifically targeting the improper neutralization of directory traversal characters.
The operational impact of this vulnerability extends beyond simple file system access, as it can enable adversaries to manipulate Suricata's operational environment in potentially devastating ways. An attacker with control over external rule sources could craft malicious dataset filenames that, when processed by vulnerable Suricata installations, could overwrite critical system files, inject malicious code into configuration files, or create backdoor access points within the network monitoring infrastructure. The implications are particularly severe in environments where Suricata is deployed with elevated privileges or where external rule sources are trusted without proper validation. This vulnerability directly impacts the integrity and availability of network security monitoring systems, potentially allowing attackers to bypass security controls or corrupt the very tools designed to protect the network.
Organizations should implement immediate mitigations including upgrading to Suricata version 6.0.13 or later, which introduces mandatory configuration parameters for allowing absolute filenames and write operations. The recommended approach involves explicitly setting allow-absolute-filenames and allow-write flags in the datasets rules configuration section only when absolutely necessary for legitimate operational requirements. Additional defensive measures include implementing strict access controls on external rule sources, deploying network segmentation to limit rule source access, and establishing robust monitoring for anomalous file system write operations. Security teams should also consider implementing principle of least privilege configurations where Suricata operates with minimal required permissions and regular auditing of dataset file operations to detect potential exploitation attempts. The ATT&CK framework categorizes this vulnerability under T1059 Command and Scripting Interpreter and T1566 Credential Access, as it enables adversaries to gain unauthorized system access and potentially escalate privileges through file system manipulation.