CVE-2024-23836
📋 TL;DR
CVE-2024-23836 is a resource exhaustion vulnerability in Suricata where attackers can craft malicious network traffic to cause excessive CPU and memory consumption, leading to denial of service. This affects all Suricata deployments running versions before 6.0.16 or 7.0.3. Network administrators and security teams using Suricata for intrusion detection/prevention are impacted.
💻 Affected Systems
- Suricata IDS/IPS
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where Suricata becomes unresponsive, dropping all traffic inspection and allowing malicious traffic to pass undetected.
Likely Case
Severe performance degradation causing packet loss, missed detections, and system instability requiring restart.
If Mitigated
Reduced performance impact with workarounds, but still vulnerable to targeted attacks.
🎯 Exploit Status
No public exploit code available yet, but vulnerability details are public.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.16 or 7.0.3
Vendor Advisory: https://github.com/OISF/suricata/security/advisories
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop Suricata service. 3. Update to Suricata 6.0.16 or 7.0.3 using package manager or source compilation. 4. Restart Suricata service. 5. Verify version with 'suricata -V'.
🔧 Temporary Workarounds
Disable affected protocol parser
allDisable the vulnerable protocol app-layer parser in Suricata YAML configuration.
Edit suricata.yaml and set app-layer protocol parser to 'disabled' for affected protocols
Reduce stream reassembly depth
allLower the stream.reassembly.depth value to reduce memory consumption impact.
Edit suricata.yaml and set 'stream.reassembly.depth' to a lower value (e.g., 1MB)
🧯 If You Can't Patch
- Implement workarounds to disable affected protocol parsers and reduce stream.reassembly.depth
- Deploy network segmentation to limit exposure and monitor for anomalous traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check Suricata version with 'suricata -V' and compare to vulnerable versions (before 6.0.16 or 7.0.3).Check Version:
suricata -VVerify Fix Applied:
Confirm version is 6.0.16 or higher for 6.x branch, or 7.0.3 or higher for 7.x branch using 'suricata -V'.📡 Detection & Monitoring
Log Indicators:
- High CPU/memory usage alerts
- Suricata process crashes or restarts
- Performance degradation logs
Network Indicators:
- Unusual protocol traffic patterns
- High volume of crafted packets to Suricata interfaces
SIEM Query:
source="suricata" AND (cpu_usage>90 OR memory_usage>90) OR process="suricata" AND event="crash"🔗 References
- https://github.com/OISF/suricata/commit/18841a58da71e735ddf4e52cbfa6989755ecbeb7
- https://github.com/OISF/suricata/commit/2a2120ecf10c5b5713ec2bf59469fe57f7b5b747
- https://github.com/OISF/suricata/commit/83c5567ea7b0b28376f57dcfee9c6301448c7bc7
- https://github.com/OISF/suricata/commit/8efaebe293e2a74c8e323fa85a6f5fadf82801bc
- https://github.com/OISF/suricata/commit/97953998d2d60673ed6c30ddfb6a2d59b4230f97
- https://github.com/OISF/suricata/commit/b1549e930f6426eeff43f12b672337cbcda566b8
- https://github.com/OISF/suricata/commit/cd035d59e3df157b606f4fe67324ea8e437be786
- https://github.com/OISF/suricata/commit/ce9b90326949c94a46611d6394e28600ee5e8bd5
- https://github.com/OISF/suricata/commit/e7e28822f473320658d6125f16ac3f0524baff01
- https://github.com/OISF/suricata/commit/f9de1cca6182e571f1c02387dca6e695e55608af
- https://github.com/OISF/suricata/security/advisories/GHSA-q33q-45cr-3cpc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GOCOBFUTIFHOP2PZOH4ENRFXRBHIRKK4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXJIT7R53ZXROO3I256RFUWTIW4ECK6P/
- https://redmine.openinfosecfoundation.org/issues/6531
- https://redmine.openinfosecfoundation.org/issues/6532
- https://redmine.openinfosecfoundation.org/issues/6540
- https://redmine.openinfosecfoundation.org/issues/6658
- https://redmine.openinfosecfoundation.org/issues/6659
- https://redmine.openinfosecfoundation.org/issues/6660
- https://github.com/OISF/suricata/commit/18841a58da71e735ddf4e52cbfa6989755ecbeb7
- https://github.com/OISF/suricata/commit/2a2120ecf10c5b5713ec2bf59469fe57f7b5b747
- https://github.com/OISF/suricata/commit/83c5567ea7b0b28376f57dcfee9c6301448c7bc7
- https://github.com/OISF/suricata/commit/8efaebe293e2a74c8e323fa85a6f5fadf82801bc
- https://github.com/OISF/suricata/commit/97953998d2d60673ed6c30ddfb6a2d59b4230f97
- https://github.com/OISF/suricata/commit/b1549e930f6426eeff43f12b672337cbcda566b8
- https://github.com/OISF/suricata/commit/cd035d59e3df157b606f4fe67324ea8e437be786
- https://github.com/OISF/suricata/commit/ce9b90326949c94a46611d6394e28600ee5e8bd5
- https://github.com/OISF/suricata/commit/e7e28822f473320658d6125f16ac3f0524baff01
- https://github.com/OISF/suricata/commit/f9de1cca6182e571f1c02387dca6e695e55608af
- https://github.com/OISF/suricata/security/advisories/GHSA-q33q-45cr-3cpc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GOCOBFUTIFHOP2PZOH4ENRFXRBHIRKK4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXJIT7R53ZXROO3I256RFUWTIW4ECK6P/
- https://redmine.openinfosecfoundation.org/issues/6531
- https://redmine.openinfosecfoundation.org/issues/6532
- https://redmine.openinfosecfoundation.org/issues/6540
- https://redmine.openinfosecfoundation.org/issues/6658
- https://redmine.openinfosecfoundation.org/issues/6659
- https://redmine.openinfosecfoundation.org/issues/6660
