CVE-2024-55629

CVE-2024-55629 affects Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. In versions prior to 7.0.8, the vulnerability arises when processing TCP streams containing urgent data (also known as out-of-band data). This causes Suricata to analyze the data differently from the applications at the TCP endpoints, potentially leading to detection evasions. The issue is classified under CWE-437 (Incomplete Model Error) and CWE-436 (Interpretation Conflict), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact without confidentiality or availability disruption.

Remote attackers with network access can exploit this vulnerability without authentication or user interaction. By crafting TCP packets with the urgent flag and associated out-of-band data, adversaries can manipulate how Suricata interprets the stream, causing it to miss or incorrectly classify malicious payloads that endpoint applications process normally. This enables evasion of security rules, allowing attacks like command injection, data exfiltration, or other exploits to bypass Suricata's detection and prevention capabilities.

Mitigation is addressed in Suricata 7.0.8 through configurable handling of TCP urgent data, as detailed in the official GitHub security advisory (GHSA-69wr-vhwg-84h2) and related commits. Users should upgrade to version 7.0.8 or later. In IPS mode, a workaround involves deploying a drop rule such as "drop tcp any any -> any any (sid:1; tcp.flags:U*;) " to discard packets with the urgent flag set, preventing exploitation until patching is feasible. Additional details are available in the Open Information Security Foundation's Redmine issue tracker (issue 7411).