CVE-2024-28870
📋 TL;DR
Suricata versions before 6.0.17 and 7.0.4 are vulnerable to a denial-of-service attack when processing excessively long SSH banners. Attackers can cause excessive CPU consumption and generate high-volume alert logging, potentially degrading or disrupting network monitoring capabilities. Organizations running vulnerable Suricata instances for IDS/IPS/NSM are affected.
💻 Affected Systems
- Suricata
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where Suricata becomes unresponsive, causing loss of network visibility and potential security monitoring gaps.
Likely Case
Performance degradation with high CPU usage and excessive logging that could fill disk space, impacting Suricata's ability to process other network traffic.
If Mitigated
Minimal impact with proper resource monitoring and alerting in place to detect abnormal behavior.
🎯 Exploit Status
Exploitation requires sending a specially crafted SSH banner to Suricata's monitoring interface, which is trivial for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.17 and 7.0.4
Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-mhhx-xw7r-r5c8
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop Suricata service. 3. Update to Suricata 6.0.17 or 7.0.4 using your package manager or source compilation. 4. Restart Suricata service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable SSH protocol parsing
allTemporarily disable SSH protocol inspection in Suricata configuration
Edit suricata.yaml and set 'ssh.enabled: no' under app-layer protocols
Rate limit SSH alerts
allConfigure thresholding to limit SSH alert volume
Add to threshold.config: 'suppress gen_id 1, sig_id 2200074, track by_src, count 1, seconds 60'
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Suricata monitoring interfaces
- Deploy rate limiting or traffic filtering for SSH traffic to Suricata sensors
🔍 How to Verify
Check if Vulnerable:
Check Suricata version with 'suricata --build-info' or 'suricata -V' and compare against vulnerable versions (before 6.0.17 or 7.0.4).Check Version:
suricata --build-info | grep VersionVerify Fix Applied:
Confirm version is 6.0.17 or higher for 6.x branch, or 7.0.4 or higher for 7.x branch. Monitor CPU usage and alert volume during SSH traffic.📡 Detection & Monitoring
Log Indicators:
- Sudden spike in SSH alerts
- High volume of alert records filling logs
- CPU usage alerts from Suricata process
Network Indicators:
- Unusually long SSH banners (over 8192 bytes) to Suricata sensors
- Repeated SSH connection attempts to monitoring interfaces
SIEM Query:
source="suricata" AND (alert.signature_id=2200074 OR alert.category="SSH Protocol Violation") | stats count by src_ip