OISF organization published Corrective releases of the detection system and prevent network invasions Suricata 6.0.3 and 5.0.7 , in which the vulnerability is eliminated CVE-2021-35063 , having a critical level of danger. The problem makes it possible to bypass any analyzers and checks Suricata.
Vulnerability caused Thread analysis disconnection for packets with nevial ACK value, but not set by the bit ACK , which made it possible to start a TCP session with a SYN package with non-zero ACK to output the entire TCP connection from the scan area in Suricata. Similar packages B.
Suricata was recognized as erroneous and handlers returned the error code without parsing the content.
/Media reports.