CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55605 – Suricata allows stack overflow in transforms
https://notcve.org/view.php?id=CVE-2024-55605
12 Dec 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricata to crash. The issue has been addressed in Suricata 7.0.8. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un mo... • https://github.com/OISF/suricata/security/advisories/GHSA-x2hr-33vp-w289 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55626 – Suricata oversized bpf file can lead to buffer overflow
https://notcve.org/view.php?id=CVE-2024-55626
12 Dec 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de red. Antes de la versión 7.0.8, un archivo de filtro BPF grande proporcionado a Suricata al... • https://github.com/OISF/suricata/commit/dd71ef0af222a566e54dfc479dd1951dd17d7ceb • CWE-680: Integer Overflow to Buffer Overflow •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55627 – Suricata segfault on StreamingBufferSlideToOffsetWithRegions
https://notcve.org/view.php?id=CVE-2024-55627
12 Dec 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de red. Antes de la versión 7.0.8... • https://github.com/OISF/suricata/commit/282509f70c4ce805098e59535af445362e3e9ebd • CWE-122: Heap-based Buffer Overflow CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55628 – Suricata oversized resource names utilizing DNS name compression can lead to resource starvation
https://notcve.org/view.php?id=CVE-2024-55628
12 Dec 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un moto... • https://github.com/OISF/suricata/commit/19cf0f81335d9f787d587450f7105ad95a648951 • CWE-405: Asymmetric Resource Consumption (Amplification) CWE-779: Logging of Excessive Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55629 – Suricata generic detection bypass using TCP urgent support
https://notcve.org/view.php?id=CVE-2024-55629
12 Dec 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the packet... • https://github.com/OISF/suricata/commit/6882bcb3e51bd3cf509fb6569cc30f48d7bb53d7 • CWE-437: Incomplete Model of Endpoint Features •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47188 – Suricata http/byte-ranges: missing hashtable random seed leads to potential DoS
https://notcve.org/view.php?id=CVE-2024-47188
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to severe performance degradation. This issue has been addressed in 7.0.7. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusi... • https://github.com/OISF/suricata/security/advisories/GHSA-qq5v-qcjx-f872 • CWE-330: Use of Insufficiently Random Values •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45795 – Suricata detect/datasets: reachable assertion with unimplemented rule option
https://notcve.org/view.php?id=CVE-2024-45795
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use only trusted and well tested rulesets. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de se... • https://github.com/OISF/suricata/security/advisories/GHSA-6r8w-fpw6-cp9g • CWE-617: Reachable Assertion •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45796 – Suricata defrag: off by one can lead to policy bypass
https://notcve.org/view.php?id=CVE-2024-45796
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de red. Antes de la versión 7.0.7, un error lógico dur... • https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg • CWE-193: Off-by-one Error •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47187 – Suricata datasets: missing hashtable random seed leads to potential DoS
https://notcve.org/view.php?id=CVE-2024-47187
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance issues during traffic handling. This issue has been addressed in 7.0.7. As a workaround, avoid loading datasets from untrusted sources. • https://github.com/OISF/suricata/security/advisories/GHSA-64ww-4f6x-863p • CWE-330: Use of Insufficiently Random Values •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47522 – Suricata ja4: invalid alpn leads to panic
https://notcve.org/view.php?id=CVE-2024-47522
02 Oct 2024 — Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround. Suricata es un sistema de detección de intrusiones, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de red. • https://github.com/OISF/suricata/security/advisories/GHSA-w5xv-6586-jpm7 • CWE-617: Reachable Assertion •