Login Sign Up

CVE-2019-10056

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Suricata allows remote attackers to cause a denial of service (crash) by sending specially crafted network packets. It affects Suricata IDS/IPS systems running vulnerable versions, potentially disrupting network security monitoring.

💻 Affected Systems

Products:
  • Suricata
Versions: 4.1.3 and earlier versions with the vulnerable code
Operating Systems: All operating systems running Suricata
Default Config Vulnerable: ⚠️ Yes
Notes: Any Suricata deployment processing network packets is vulnerable regardless of configuration.

📦 What is this software?

Suricata by Suricata Ids

View all CVEs affecting Suricata →

Suricata by Suricata Ids

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Suricata service crash leading to loss of network intrusion detection/prevention capabilities, potentially allowing undetected attacks.

🟠

Likely Case

Service instability and crashes requiring manual restart, creating security monitoring gaps.

🟢

If Mitigated

Minimal impact if Suricata runs in fail-open mode or has redundancy, though detection gaps may still occur.

🌐 Internet-Facing: HIGH - Suricata typically processes network traffic from external sources, making it directly exposed to crafted packets.
🏢 Internal Only: MEDIUM - Internal network traffic could also trigger the vulnerability if malicious actors gain internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires sending specific packet types but is straightforward to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.4 and later

Vendor Advisory: https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/

Restart Required: Yes

Instructions:

1. Download Suricata 4.1.4 or later from suricata-ids.org. 2. Stop Suricata service. 3. Install the new version. 4. Restart Suricata service.

🔧 Temporary Workarounds

Rate limiting network traffic

linux

Implement network traffic rate limiting to reduce likelihood of exploitation

iptables -A INPUT -p tcp --dport <suricata_port> -m limit --limit 1000/second -j ACCEPT
iptables -A INPUT -p tcp --dport <suricata_port> -j DROP

🧯 If You Can't Patch

  • Implement redundant Suricata instances with automatic failover
  • Monitor Suricata process health and implement automatic restart scripts

🔍 How to Verify

Check if Vulnerable:

Check Suricata version: suricata --build-info | grep 'Suricata Version'

Check Version:

suricata --build-info | grep 'Suricata Version'

Verify Fix Applied:

Verify version is 4.1.4 or later and test with known packet capture that previously caused crashes

📡 Detection & Monitoring

Log Indicators:

  • Suricata process crashes
  • Segmentation fault errors in logs
  • Unexpected service restarts

Network Indicators:

  • Unusual 28-byte packets to Suricata ports
  • Traffic patterns matching the vulnerability trigger

SIEM Query:

source="suricata.log" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2019-10056
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: August 28, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10056, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)