CVE-2021-45098: 
Suricata vulnerability analysis and mitigation

CVE-2021-45098 is a vulnerability discovered in Suricata versions before 6.0.4. The vulnerability was disclosed on December 16, 2021, affecting Suricata's network intrusion detection and prevention capabilities (NVD, Debian Tracker).

The vulnerability allows attackers to bypass or evade any HTTP-based signature detection by exploiting TCP packet handling. After a three-way handshake, an attacker can inject an RST ACK with a random TCP md5header option, followed by an HTTP GET request containing forbidden URLs. The server ignores the RST ACK and processes the HTTP request, effectively bypassing Suricata's reject action. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability enables attackers to bypass Suricata's HTTP-based signature detection mechanisms, potentially allowing malicious HTTP traffic to pass through the security controls undetected. This significantly impacts the effectiveness of the intrusion detection and prevention capabilities of affected Suricata installations (NVD).

The vulnerability has been fixed in Suricata version 6.0.4. Organizations are advised to upgrade to this version or later to address the security issue. The fix includes special handling for RST packets with TCP MD5 or AO header options (Suricata Release, Suricata Patch).