CVE-2024-55627
Published: 06 January 2025
Description
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8.
Security Summary
CVE-2024-55627 is a buffer overflow vulnerability in Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. Affecting versions prior to 7.0.8, the flaw occurs when processing a specially crafted TCP stream during buffer initialization with memset, triggered by an unsigned integer underflow that leads to a very large buffer overflow while zero-filling. This issue maps to CWEs-122 (Heap-based Buffer Overflow), CWE-191 (Integer Underflow), and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted TCP stream to a vulnerable Suricata instance. The high attack complexity (AC:H) stems from the need to precisely manipulate the TCP stream to induce the underflow. Successful exploitation results in a denial-of-service condition, as the buffer overflow causes the Suricata process to crash, disrupting network monitoring, detection, and prevention capabilities without impacting confidentiality or integrity.
The vulnerability has been fully addressed in Suricata version 7.0.8 through multiple fixes detailed in GitHub commits (282509f70c4ce805098e59535af445362e3e9ebd, 8900041405dbb5f9584edae994af2100733fb4be, and 9a53ec43b13f0039a083950511a18bf6f408e432), as documented in the GitHub Security Advisory GHSA-h2mv-7gg8-8x7v and Redmine issue 7393. Security practitioners should prioritize upgrading to Suricata 7.0.8 or later to mitigate the risk.
Details
- CWE(s)