Bug 26602 - suricata new security issue(s) fixed upstream in 4.1.8
Summary: suricata new security issue(s) fixed upstream in 4.1.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-05-08 01:58 CEST by David Walser
Modified: 2020-05-15 17:49 CEST (History)
5 users (show)

See Also:
Source RPM: suricata-4.1.6-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-05-08 01:58:51 CEST 
Fedora has issued an advisory today (May 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFDZEYHMOYBANQU6NAZYRPEDAPRZEXET/

Issues were found via fuzz testing and fixed in 5.0.3 and 4.1.8:
https://suricata-ids.org/2020/04/28/suricata-4-1-8-released/
Comment 1 Lewis Smith 2020-05-08 20:11:22 CEST 
Guillaume is the active maintainer, so assigning this to you.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2020-05-09 14:33:36 CEST 
Updated package uploaded by Guillaume.

Advisory:
========================

Updated suricata packages fix security vulnerabilities:

The suricata package has been updated to version 4.1.8, which fixes security
issues and other bugs.  See the upstream announcements for details.

References:
https://suricata-ids.org/2020/02/13/suricata-4-1-7-released/
https://suricata-ids.org/2020/04/28/suricata-4-1-8-released/
========================

Updated packages in core/updates_testing:
========================
suricata-4.1.8-1.mga7
libhtp2-4.1.8-1.mga7
libhtp-devel-4.1.8-1.mga7

from suricata-4.1.8-1.mga7.src.rpm

Assignee: guillomovitch => qa-bugs
CC: (none) => guillomovitch

Comment 3 Herman Viaene 2020-05-10 11:10:13 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 25956 for testing, got a bit further, but still....
This laptop connects with wifi.
# suricata-update
10/5/2020 -- 10:31:37 - <Info> -- Using data-directory /var/lib/suricata.
10/5/2020 -- 10:31:37 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
10/5/2020 -- 10:31:37 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
10/5/2020 -- 10:31:37 - <Info> -- Found Suricata version 4.1.8 at /usr/sbin/suricata.
10/5/2020 -- 10:31:37 - <Info> -- Loading /etc/suricata/suricata.yaml
and a lot more and at the end:
10/5/2020 -- 10:31:42 - <Info> -- Loaded 26836 rules.
10/5/2020 -- 10:31:43 - <Info> -- Disabled 14 rules.
10/5/2020 -- 10:31:43 - <Info> -- Enabled 0 rules.
10/5/2020 -- 10:31:43 - <Info> -- Modified 0 rules.
10/5/2020 -- 10:31:43 - <Info> -- Dropped 0 rules.
10/5/2020 -- 10:31:43 - <Info> -- Enabled 124 rules for flowbit dependencies.
10/5/2020 -- 10:31:43 - <Info> -- Creating directory /var/lib/suricata/rules.
10/5/2020 -- 10:31:43 - <Info> -- Backing up current rules.
10/5/2020 -- 10:31:43 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 26836; enabled: 20128; added: 26836; removed 0; modified: 0
10/5/2020 -- 10:31:43 - <Info> -- Testing with suricata -T.
10/5/2020 -- 10:32:04 - <Info> -- Done.

So that seems OK.
# systemctl start suricata
No feedback from this command, usuallythis meas it's OK, but
# systemctl -l status suricata
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2020-05-10 10:32:38 CEST; 19s ago
  Process: 16888 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 16888 (code=exited, status=1/FAILURE)

May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - F>
May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - >
May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(>
May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] ->
May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Notice> - all 4 packet processing threads, 4>
May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] ->
May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] ->
May 10 10:32:38 mach5.hviaene.thuis suricata[16888]: 10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thre>
May 10 10:32:38 mach5.hviaene.thuis systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
May 10 10:32:38 mach5.hviaene.thuis systemd[1]: suricata.service: Failed with result 'exit-code'.

# tail /var/log/suricata/suricata.log
10/5/2020 -- 10:32:38 - <Notice> - This is Suricata version 4.1.8 RELEASE
10/5/2020 -- 10:32:38 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'eth0': No such device (19)
10/5/2020 -- 10:32:38 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'eth0': No such device (19)
10/5/2020 -- 10:32:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
10/5/2020 -- 10:32:38 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface "eth0": No such device
10/5/2020 -- 10:32:38 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
10/5/2020 -- 10:32:38 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Went into /etc/suricata/suricata.yaml file and replaced eth0 with wmp9s0, andd tried again, but same failure on eth0.
Then 
# suricata -D -i wlp9s0
10/5/2020 -- 10:45:26 - <Notice> - This is Suricata version 4.1.8 RELEASE
and
# systemctl -l status suricata
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2020-05-10 10:42:03 CEST; 3min 58s ago
  Process: 19266 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 19266 (code=exited, status=1/FAILURE)

May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - F>
May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - >
May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(>
May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] ->
May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Notice> - all 4 packet processing threads, 4>
May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] ->
May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] ->
May 10 10:42:03 mach5.hviaene.thuis suricata[19266]: 10/5/2020 -- 10:42:03 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thre>
May 10 10:42:03 mach5.hviaene.thuis systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
May 10 10:42:03 mach5.hviaene.thuis systemd[1]: suricata.service: Failed with result 'exit-code'.

# ps aux | grep suricata
root      3401  0.0  0.0   9044   872 pts/1    S+   10:46   0:00 grep --color suricata
root     31930 33.5  3.8 921348 307612 ?       Ssl  10:45   0:21 suricata -D -i wlp9s0
[root@mach5 ~]# tail /var/log/suricata/suricata.log
...snip.....
10/5/2020 -- 10:45:26 - <Notice> - This is Suricata version 4.1.8 RELEASE
10/5/2020 -- 10:45:47 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'wlp9s0': Operation not supported (95)
10/5/2020 -- 10:45:47 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

Googled on that error and found (a.o.) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895342
Not very hopefull....

CC: (none) => herman.viaene

Comment 4 Guillaume Rousse 2020-05-10 14:05:29 CEST 
The debian bug is about suricata not detecting automatically the network interface to use, which is not your case. Your problem is more likely related to optional features not supported by your network interface, such as explained here:
https://redmine.openinfosecfoundation.org/issues/1976

Anyway, that's just a warning, and unlikely to be a regression from version shipped with mageia 7.
Comment 5 Herman Viaene 2020-05-10 14:15:32 CEST 
@Guillaume
I found that bug report as well while googling, but being more than 3 years old...
Anyway, tx for reviewing this. OK'ing then.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-05-10 19:15:39 CEST 
Thanks. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-05-15 16:48:47 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2020-05-15 17:49:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0214.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.