CVE-2024-55605 – This vulnerability in Suricata allows attackers... (How to Fix)

Q: What is the severity of CVE-2024-55605?

CVE-2024-55605 has a CVSS score of 7.5 (HIGH). This vulnerability in Suricata allows attackers to cause a denial-of-service by sending specially crafted network traffic that triggers a stack overflow in multiple transform functions. It affects all Suricata deployments running versions prior to 7.0.8 that use the vulnerable transform operations.

📋 TL;DR

This vulnerability in Suricata allows attackers to cause a denial-of-service by sending specially crafted network traffic that triggers a stack overflow in multiple transform functions. It affects all Suricata deployments running versions prior to 7.0.8 that use the vulnerable transform operations.

💻 Affected Systems

Products:

Suricata

Versions: All versions prior to 7.0.8

Operating Systems: All platforms running Suricata

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in multiple transform functions (to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, xor) that process input buffers.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the stack overflow can be controlled to execute arbitrary code.

🟠

Likely Case

Denial-of-service causing Suricata to crash, disrupting network security monitoring and potentially allowing attacks to go undetected.

🟢

If Mitigated

Temporary service disruption until Suricata restarts automatically or manually.

🌐 Internet-Facing: HIGH - Suricata typically processes untrusted network traffic from external sources, making internet-facing instances highly vulnerable.

🏢 Internal Only: MEDIUM - Internal deployments still process potentially malicious traffic but with reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted network traffic to trigger the vulnerable transform functions. No authentication needed as Suricata processes network traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.8

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-x2hr-33vp-w289

Restart Required: Yes

Instructions:

1. Download Suricata 7.0.8 or later from official sources. 2. Stop Suricata service. 3. Install the updated version. 4. Restart Suricata service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Disable vulnerable transforms

all

Temporarily disable the vulnerable transform functions in Suricata configuration if they are not essential for your use case.

Edit suricata.yaml and comment out or remove transform rules using: to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, xor

🧯 If You Can't Patch

Implement network segmentation to limit traffic to Suricata instances
Deploy additional IDS/IPS systems in parallel for redundancy during potential outages

🔍 How to Verify

Check if Vulnerable:

Check Suricata version with 'suricata --build-info' or 'suricata -V' and verify it's below 7.0.8

Check Version:

suricata --build-info | grep Version

Verify Fix Applied:

After patching, run 'suricata --build-info' and confirm version is 7.0.8 or higher

📡 Detection & Monitoring

Log Indicators:

Suricata crash logs
Segmentation fault errors in system logs
Unexpected Suricata service restarts

Network Indicators:

Large or malformed packets targeting Suricata transform functions
Traffic patterns designed to trigger buffer overflows

SIEM Query:

source="suricata" AND ("segmentation fault" OR "crash" OR "stack overflow")

📊 Metadata

CVE ID: CVE-2024-55605

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.45% exploit probability (63.3th percentile)

Published: January 6, 2025

Last Updated: March 31, 2025

🔗 References

https://github.com/OISF/suricata/security/advisories/GHSA-x2hr-33vp-w289 Vendor Advisory
https://redmine.openinfosecfoundation.org/issues/7229 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55605, you might also want to check these: