CVE-2024-55628

CVE-2024-55628 affects Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. In versions prior to 7.0.8, the vulnerability stems from improper handling of DNS resource name compression, where small DNS messages can encode very large hostnames. This results in excessive computational costs during decoding and the generation of oversized DNS log records. Existing limits on hostname lengths were deemed too permissive, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-405 (Asymmetric Resource Consumption), CWE-779 (Logging of Excessive Data), and NVD-CWE-Other.

A remote, unauthenticated attacker can exploit this flaw by sending specially crafted DNS packets over the network. The decompression process consumes disproportionate resources, potentially leading to denial-of-service conditions through CPU exhaustion or disk space depletion from massive log entries. No user interaction or privileges are required, making it feasible against internet-exposed Suricata deployments performing DNS inspection.

The issue was addressed in Suricata version 7.0.8 via targeted commits tightening hostname length limits and improving decompression bounds. Official advisories, including GHSA-96w4-jqwf-qx2j on GitHub and Open Information Security Foundation's Redmine ticket #7280, recommend upgrading to 7.0.8 or later. Relevant patches are available in commits such as 19cf0f81335d9f787d587450f7105ad95a648951, 37f4c52b22fcdde4adf9b479cb5700f89d00768d, and 3a5671739f5b25e5dd973a74ca5fd8ea40e1ae2d.