CVE-2024-32663
📋 TL;DR
CVE-2024-32663 is a memory exhaustion vulnerability in Suricata's HTTP/2 parser where small amounts of HTTP/2 traffic can cause excessive memory consumption. This affects Suricata deployments running versions before 7.0.5 or 6.0.19. The vulnerability can lead to denial of service through resource exhaustion.
💻 Affected Systems
- Suricata
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service as Suricata consumes all available memory, causing system instability or crash, potentially disrupting network security monitoring.
Likely Case
Degraded performance or temporary service interruption as memory consumption spikes, requiring manual intervention to restart services.
If Mitigated
Minimal impact with proper memory limits and monitoring in place, though some performance degradation may still occur during attack.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP/2 traffic, which is straightforward for attackers familiar with HTTP/2 protocol.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.5 or 6.0.19
Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r
Restart Required: Yes
Instructions:
1. Download Suricata 7.0.5 or 6.0.19 from official sources. 2. Stop Suricata service. 3. Install the updated version. 4. Restart Suricata service. 5. Verify the new version is running.
🔧 Temporary Workarounds
Disable HTTP/2 Parser
allCompletely disable HTTP/2 parsing to prevent exploitation
Edit suricata.yaml and set: app-layer.protocols.http2.enabled: no
Reduce HTTP/2 Table Size
allLimit memory consumption by reducing the maximum HTTP/2 table size
Edit suricata.yaml and set: app-layer.protocols.http2.max-table-size: 4096
🧯 If You Can't Patch
- Implement workarounds to disable HTTP/2 parsing or reduce table size
- Implement strict network segmentation to limit HTTP/2 traffic to Suricata instances
🔍 How to Verify
Check if Vulnerable:
Check Suricata version with: suricata --build-info | grep versionCheck Version:
suricata --build-info | grep versionVerify Fix Applied:
Verify version is 7.0.5 or higher, or 6.0.19 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption spikes in system logs
- Suricata process restarts or crashes
- High memory usage alerts
Network Indicators:
- Unusual patterns of HTTP/2 traffic
- Multiple HTTP/2 connections from single sources
SIEM Query:
source="suricata" AND ("out of memory" OR "memory allocation failed" OR process_restart)🔗 References
- https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64
- https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd
- https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019
- https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5
- https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r
- https://redmine.openinfosecfoundation.org/issues/6892
- https://redmine.openinfosecfoundation.org/issues/6900
- https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64
- https://github.com/OISF/suricata/commit/c0af92295e833d1db29b184d63cd3b829451d7fd
- https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019
- https://github.com/OISF/suricata/commit/e68ec4b227d19498f364a41eb25d3182f0383ca5
- https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r
- https://lists.debian.org/debian-lts-announce/2025/03/msg00029.html
- https://redmine.openinfosecfoundation.org/issues/6892
- https://redmine.openinfosecfoundation.org/issues/6900
