CVE-2023-35852 is a vulnerability identified in Suricata, an open-source network threat detection engine widely used for intrusion detection and prevention. Prior to version 6.0.13, Suricata's handling of dataset filenames derived from external rules was insufficiently secured. Specifically, when an adversary controls an external source of rules, they can craft dataset filenames that include absolute or relative directory traversal sequences. This flaw allows the attacker to write files to arbitrary locations on the local filesystem where Suricata is running. Such unauthorized write access can lead to system compromise, including overwriting critical files, planting malicious payloads, or disrupting Suricata's operation. The vulnerability arises because Suricata did not require explicit configuration to allow absolute filenames or write operations in dataset rules, thus trusting potentially malicious input. The fix implemented in version 6.0.13 introduces two configuration options: 'allow-absolute-filenames' and 'allow-write' within the dataset rules configuration section. These options must be explicitly enabled to permit directory traversal and write operations, thereby preventing exploitation by default. No public exploits have been reported, but the vulnerability poses a significant risk in environments where external rule sources are used without strict validation or sandboxing. This vulnerability primarily impacts systems that ingest external rulesets, which is common in dynamic threat intelligence sharing scenarios. The lack of a CVSS score necessitates an independent severity assessment based on the potential impact and exploitation complexity.

For European organizations, the impact of CVE-2023-35852 can be substantial, especially for those relying on Suricata for network security monitoring and intrusion detection. Successful exploitation could allow attackers to write arbitrary files on security monitoring hosts, potentially leading to system compromise, data tampering, or denial of service by corrupting Suricata's operational files or logs. This undermines the integrity and availability of critical security infrastructure, reducing the effectiveness of threat detection and response. Organizations in sectors such as finance, energy, telecommunications, and government, which heavily depend on Suricata for real-time network security, could face increased risk of targeted attacks. Additionally, the ability to write files without authentication or user interaction increases the threat level, as attackers controlling rule sources can exploit this remotely. The absence of known exploits suggests limited current active threat, but the vulnerability remains a significant risk if external rule sources are not tightly controlled. Failure to patch or configure properly could lead to lateral movement within networks or persistent footholds for attackers.

European organizations should immediately upgrade Suricata to version 6.0.13 or later to benefit from the built-in protections against this vulnerability. If upgrading is not immediately feasible, organizations must audit and restrict the sources of external rules to trusted providers only, ensuring no untrusted or unauthenticated rule feeds are used. Additionally, administrators should explicitly configure the 'allow-absolute-filenames' and 'allow-write' options in the dataset rules configuration section to 'false' unless absolutely necessary, thereby preventing directory traversal and unauthorized file writes. Implement strict file system permissions on Suricata hosts to limit the impact of any potential file writes. Monitoring and alerting on unexpected file changes in Suricata directories can provide early detection of exploitation attempts. Finally, organizations should review their incident response plans to include scenarios involving compromise of network monitoring infrastructure.