CVE-2024-32867 – Suricata's defrag contains various issues leading to policy bypass
https://notcve.org/view.php?id=CVE-2024-32867
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. Antes de 7.0.5 y 6.0.19, varios problemas en el manejo de anomalías de fragmentación pueden provocar una detección errónea de reglas y políticas. • https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9 https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66 https://github.com/OISF/suricata/commit/414f97c6695c5a2e1d378a36a6f50d7288767634 https://github.com/OISF/suricata/commit/bf3d420fb709ebe074019a99e3bd3a2364524a4b https://github.com/OISF/suricata/commit/d13bd2ae217a6d2ceb347f74d27cbfcd37b9bda9 https://github.com/OISF/suricata/commit/e6267758ed5da27f804f0c1c07f9423bdf4d72b8 https://github.com/OISF/suricata/security/advisories/GHSA-xvrx-88mv-xcq5 https://redmine& • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2024-32664 – Suricata's base64 contains an out of bounds write
https://notcve.org/view.php?id=CVE-2024-32664
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. • https://github.com/OISF/suricata/commit/311002baf288a225f62cf18a90c5fdd294447379 https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 https://github.com/OISF/suricata/security/advisories/GHSA-79vh-hpwq-3jh7 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-122: Heap-based Buffer Overflow •
CVE-2024-28870 – Suricata uses excessive resource use in malformed ssh traffic parsing
https://notcve.org/view.php?id=CVE-2024-28870
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4. Suricata es un sistema de detección de intrusiones de red, un sistema de prevención de intrusiones y un motor de monitorización de seguridad de red desarrollado por OISF y la comunidad de Suricata. Al analizar un banner SSH demasiado largo, Suricata puede utilizar recursos excesivos de la CPU, así como provocar un volumen de registro excesivo en los registros de alerta. • https://github.com/OISF/suricata/security/advisories/GHSA-mhhx-xw7r-r5c8 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-24568 – Suricata http2: header handling evasion
https://notcve.org/view.php?id=CVE-2024-24568
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. Antes de 7.0.3, el tráfico manipulado podía eludir las reglas que inspeccionaban los encabezados HTTP2. • https://github.com/OISF/suricata/commit/478a2a38f54e2ae235f8486bff87d7d66b6307f0 https://github.com/OISF/suricata/security/advisories/GHSA-gv29-5hqw-5h8c https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GOCOBFUTIFHOP2PZOH4ENRFXRBHIRKK4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXJIT7R53ZXROO3I256RFUWTIW4ECK6P https://redmine.openinfosecfoundation.org/issues/6717 • CWE-284: Improper Access Control •
CVE-2024-23839 – Suricata http: heap use after free with http.request_header and http.response_header keywords
https://notcve.org/view.php?id=CVE-2024-23839
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword. The vulnerability has been patched in 7.0.3. To work around the vulnerability, avoid the http.request_header and http.response_header keywords. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. • https://github.com/OISF/suricata/commit/cd731fcaf42e5f7078c9be643bfa0cee2ad53e8f https://github.com/OISF/suricata/security/advisories/GHSA-qxj6-hr2p-mmc7 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GOCOBFUTIFHOP2PZOH4ENRFXRBHIRKK4 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXJIT7R53ZXROO3I256RFUWTIW4ECK6P https://redmine.openinfosecfoundation.org/issues/6657 • CWE-416: Use After Free •