CVE-2024-45795
📋 TL;DR
This vulnerability in Suricata allows an attacker to cause a denial of service by triggering an assertion failure when rules use datasets with the unimplemented 'unset' option. Systems running Suricata versions before 7.0.7 with custom or untested rulesets are affected. The impact is limited to service disruption rather than remote code execution.
💻 Affected Systems
- Suricata
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete Suricata service crash, disabling all IDS/IPS/NSM functionality and leaving the network unprotected until manual restart.
Likely Case
Suricata process termination when processing specific malicious traffic patterns, requiring service restart and causing temporary security monitoring gap.
If Mitigated
No impact if using only trusted, well-tested rulesets without the problematic 'unset' option in datasets.
🎯 Exploit Status
Exploitation requires sending network traffic that matches vulnerable rules, but specific traffic patterns needed are not publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.7
Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-6r8w-fpw6-cp9g
Restart Required: Yes
Instructions:
1. Download Suricata 7.0.7 from official sources. 2. Stop Suricata service. 3. Install the new version following platform-specific installation procedures. 4. Restart Suricata service.
🔧 Temporary Workarounds
Use trusted rulesets only
allAvoid using custom rulesets or only use well-tested rulesets that don't contain datasets with the 'unset' option.
🧯 If You Can't Patch
- Review and remove any rules using datasets with the 'unset' option from active rulesets
- Implement network segmentation to limit potential attack surface and monitor for Suricata service crashes
🔍 How to Verify
Check if Vulnerable:
Check Suricata version with 'suricata --build-info' and verify if below 7.0.7, then review rulesets for dataset rules with 'unset' option.Check Version:
suricata --build-info | grep 'Version'Verify Fix Applied:
Confirm version is 7.0.7 or higher with 'suricata --build-info' and test with known vulnerable rulesets if available.📡 Detection & Monitoring
Log Indicators:
- Suricata process termination/crash logs
- Assertion failure messages in system logs
- Unexpected service restarts
Network Indicators:
- Sudden drop in Suricata traffic inspection/alerts
- Patterns of traffic targeting known vulnerable rules if identified
SIEM Query:
source="suricata.log" AND ("assertion" OR "crash" OR "terminated")