CVE-2021-37592: 
Suricata vulnerability analysis and mitigation

Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments. The vulnerability was discovered and disclosed in November 2021, identified as CVE-2021-37592. This critical security flaw affects all versions of Suricata prior to versions 5.0.8 and 6.0.4 (NVD, Suricata Forum).

The vulnerability allows TCP evasion through a specific attack pattern where an attacker can bypass TCP-based signatures on certain Linux servers. The attack involves sending a FIN-SYN-ACK after a three-way handshake, followed by a fake SYN with an incorrect sequence number after the server's ACK response. This sequence causes desynchronization of the NIDS, allowing the transmission of known signatures without detection. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD, OISF Issue).

The vulnerability enables attackers to bypass TCP-based signature detection, potentially allowing malicious traffic to pass through undetected. The issue affects various server configurations, particularly on Linux systems, including Nginx 1.21.1, Django 3.1.5, Gunicorn 20.0.4, and Python3 3.8.5 running on Ubuntu 20.04. Windows-based systems and Apache servers were found to be unaffected by this vulnerability (OISF Issue).

The vulnerability has been fixed in Suricata versions 5.0.8 and 6.0.4. Users are strongly advised to upgrade to these or later versions to protect against this TCP evasion vulnerability. The fix was implemented through a commit that addresses the TCP stream handling issue (Suricata Forum).