CVE-2024-32663 – Suricata 's http2 parser contains an improper compressed header handling can lead to resource starvation
https://notcve.org/view.php?id=CVE-2024-32663
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536). Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. • https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64 https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019 https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5 https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r https://redmine.openinfosecfoundation.org/issues/6892 https://redmine.openinfosecfoundation.org/issues/6900 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-32867 – Suricata's defrag contains various issues leading to policy bypass
https://notcve.org/view.php?id=CVE-2024-32867
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. Antes de 7.0.5 y 6.0.19, varios problemas en el manejo de anomalías de fragmentación pueden provocar una detección errónea de reglas y políticas. • https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9 https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66 https://github.com/OISF/suricata/commit/414f97c6695c5a2e1d378a36a6f50d7288767634 https://github.com/OISF/suricata/commit/bf3d420fb709ebe074019a99e3bd3a2364524a4b https://github.com/OISF/suricata/commit/d13bd2ae217a6d2ceb347f74d27cbfcd37b9bda9 https://github.com/OISF/suricata/commit/e6267758ed5da27f804f0c1c07f9423bdf4d72b8 https://github.com/OISF/suricata/security/advisories/GHSA-xvrx-88mv-xcq5 https://redmine& • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2024-32664 – Suricata's base64 contains an out of bounds write
https://notcve.org/view.php?id=CVE-2024-32664
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false. Suricata es un sistema de detección de intrusiones en la red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de la red. • https://github.com/OISF/suricata/commit/311002baf288a225f62cf18a90c5fdd294447379 https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 https://github.com/OISF/suricata/security/advisories/GHSA-79vh-hpwq-3jh7 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-122: Heap-based Buffer Overflow •
CVE-2024-28871 – Excessive CPU used on malformed traffic
https://notcve.org/view.php?id=CVE-2024-28871
LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Version 0.5.46 may parse malformed request traffic, leading to excessive CPU usage. Version 0.5.47 contains a patch for the issue. No known workarounds are available. LibHTP es un analizador consciente de la seguridad para el protocolo HTTP y los bits y piezas relacionados. • https://github.com/OISF/libhtp/commit/79e713f3e527593a45f545e854cd9e6fbb3cd3ed https://github.com/OISF/libhtp/commit/bf618ec7f243cebfb0f7e84c3cb158955cb32b4d https://github.com/OISF/libhtp/security/advisories/GHSA-ffr2-45w9-7wmg https://redmine.openinfosecfoundation.org/issues/6757 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-28870 – Suricata uses excessive resource use in malformed ssh traffic parsing
https://notcve.org/view.php?id=CVE-2024-28870
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4. Suricata es un sistema de detección de intrusiones de red, un sistema de prevención de intrusiones y un motor de monitorización de seguridad de red desarrollado por OISF y la comunidad de Suricata. Al analizar un banner SSH demasiado largo, Suricata puede utilizar recursos excesivos de la CPU, así como provocar un volumen de registro excesivo en los registros de alerta. • https://github.com/OISF/suricata/security/advisories/GHSA-mhhx-xw7r-r5c8 • CWE-770: Allocation of Resources Without Limits or Throttling •