CVE-2023-35853 in Suricata
Summary
by MITRE • 06/19/2023
In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/11/2026
The vulnerability identified as CVE-2023-35853 affects Suricata network intrusion detection system versions prior to 6.0.13, representing a critical security flaw that enables remote code execution through manipulated Lua rule sources. This vulnerability falls under the category of code injection and privilege escalation, as it allows adversaries with control over external Lua rule repositories to execute arbitrary code on systems running vulnerable Suricata versions. The issue stems from insufficient validation and sanitization of external Lua rule inputs, creating a pathway for malicious actors to inject and execute unauthorized code within the Suricata environment.
The technical implementation of this vulnerability occurs when Suricata processes external Lua rules from untrusted sources without proper security controls. The flaw exists in the Lua rule execution mechanism where the system does not adequately verify the integrity or origin of imported Lua code. This allows an attacker who has compromised or gained access to an external rule source to craft malicious Lua payloads that get executed by the Suricata engine. The vulnerability specifically targets the configuration handling for Lua rule execution, where default settings permit unsafe Lua operations that can be exploited by remote attackers. This represents a direct violation of secure coding principles and configuration management practices.
The operational impact of CVE-2023-35853 is severe and far-reaching, potentially enabling complete system compromise when exploited. An adversary who controls an external rule source can execute arbitrary code with the privileges of the Suricata process, which typically runs with elevated permissions to monitor network traffic and process security events. This vulnerability could allow attackers to establish persistent backdoors, exfiltrate sensitive data, or disrupt network operations by manipulating the intrusion detection system itself. The attack surface extends to any organization using Suricata with external rule sources, particularly those that rely on third-party rule repositories or automated rule updates. The vulnerability directly impacts the integrity and availability of network security monitoring capabilities.
Organizations should immediately implement the patch released in Suricata version 6.0.13, which addresses this issue by disabling Lua execution by default unless explicitly configured otherwise through the allow-rules parameter in the security lua configuration section. This mitigation aligns with the principle of least privilege and defense in depth strategies recommended by cybersecurity frameworks such as NIST SP 800-53. The configuration change requires administrators to explicitly enable Lua rule execution only when absolutely necessary and when the rule sources can be fully trusted. Additional protective measures include implementing network segmentation to isolate Suricata instances, monitoring for unauthorized rule updates, and conducting regular security assessments of rule sources. The vulnerability also highlights the importance of following ATT&CK framework recommendations for preventing code injection attacks and maintaining secure configuration management practices. Organizations should also consider implementing runtime application self-protection measures and monitoring for suspicious Lua execution patterns to detect potential exploitation attempts.