CVE-2023-35852 - Directory Traversal and Write Access Vulnerability in Suricata before 6..13

A significant vulnerability, tracked as CVE-2023-35852, has been discovered in Suricata, an open-source network threat detection engine. This vulnerability affects Suricata versions before 6..13. In this post, we will explore the details of this vulnerability, including how it can be exploited and how to mitigate the risks associated with it.

Vulnerability Details

Suricata is prone to a directory traversal and write access vulnerability when an attacker has control over an external source of rules. A dataset filename, originating from a rule, can trigger absolute or relative directory traversal, leading to write access to a local filesystem. This issue is addressed in Suricata version 6..13 by requiring both the allow-absolute-filenames and allow-write options to be enabled in the datasets rules configuration section if an installation requires traversal or writing in this situation.

Consider the following code snippet as an example of a vulnerable rule in Suricata

alert http any any -> any any (msg:"CVE-2023-35852 Example"; flow:established; http.uri; to_server; content:"/vulnerable-page"; dataset:set,http.uri,filename /var/log/suricata/../../../../tmp/example_file; sid:1; rev:1;)

In the above rule, the dataset filename is set to /var/log/suricata/../../../../tmp/example_file. This can lead to directory traversal and write access to the local filesystem.

An attacker who can control the external source of rules used by Suricata can create a malicious rule designed to exploit this vulnerability. This can result in unauthorized access and manipulation of sensitive information on the affected system.

Mitigation

To mitigate this vulnerability, users are advised to update their Suricata installations to version 6..13 or later. In addition to the update, the following configuration changes should be applied to the datasets rules section:

Set the allow-write option to true

These options will ensure that Suricata will only accept absolute filenames and allow write access to the datasets when necessary.

For more information on CVE-2023-35852 and Suricata, refer to the following links

1. Suricata Changelog, detailing the fix in version 6..13: https://suricata.readthedocs.io/en/latest/releases/6..13.html
2. Suricata's official GitHub repository: https://github.com/OISF/suricata

Conclusion

CVE-2023-35852 is a critical vulnerability in Suricata, affecting versions before 6..13. By exploiting this vulnerability, an attacker can gain write access to a local filesystem via directory traversal. To mitigate the risk, users should update their Suricata installation to version 6..13 or later, and apply the necessary configuration changes as detailed above. Stay vigilant and keep your network threat detection engines updated to protect your infrastructure from potential threats.

Timeline

Published on: 06/19/2023 04:15:00 UTC
Last modified on: 06/28/2023 18:44:00 UTC