CVE-2024-55628 – This vulnerability in Suricata allows attackers... (How to Fix)

Q: What is the severity of CVE-2024-55628?

CVE-2024-55628 has a CVSS score of 7.5 (HIGH). This vulnerability in Suricata allows attackers to send specially crafted DNS messages with compressed resource names that can cause excessive resource consumption during decoding. Systems running Suricata versions prior to 7.0.8 are affected, potentially leading to denial of service or performance degradation.

📋 TL;DR

This vulnerability in Suricata allows attackers to send specially crafted DNS messages with compressed resource names that can cause excessive resource consumption during decoding. Systems running Suricata versions prior to 7.0.8 are affected, potentially leading to denial of service or performance degradation.

💻 Affected Systems

Products:

Suricata

Versions: All versions prior to 7.0.8

Operating Systems: All operating systems running Suricata

Default Config Vulnerable: ⚠️ Yes

Notes: All Suricata deployments processing DNS traffic are vulnerable regardless of configuration.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service through resource exhaustion, causing Suricata to crash or become unresponsive, potentially disrupting network security monitoring.

🟠

Likely Case

Performance degradation and increased resource consumption, leading to dropped packets or missed detections in network traffic analysis.

🟢

If Mitigated

Minimal impact with proper rate limiting and monitoring in place, though still vulnerable to targeted attacks.

🌐 Internet-Facing: HIGH - Suricata typically processes internet-facing traffic, making it directly exposed to malicious DNS packets from external sources.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access to send malicious DNS traffic to the Suricata instance.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted DNS packets to the vulnerable Suricata instance, which is straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.8

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-96w4-jqwf-qx2j

Restart Required: Yes

Instructions:

1. Download Suricata 7.0.8 or later from official sources. 2. Stop the Suricata service. 3. Install the updated version. 4. Restart the Suricata service. 5. Verify the version is 7.0.8 or higher.

🔧 Temporary Workarounds

DNS Traffic Filtering

all

Implement network filtering to block or rate limit DNS traffic to Suricata instances

Resource Monitoring

all

Increase monitoring of Suricata resource usage and implement alerts for abnormal DNS processing

🧯 If You Can't Patch

Implement strict rate limiting on DNS traffic using network firewalls or load balancers
Deploy Suricata in a containerized environment with resource limits to prevent complete system exhaustion

🔍 How to Verify

Check if Vulnerable:

Check Suricata version with 'suricata --build-info' or 'suricata -V' and verify it's below 7.0.8

Check Version:

suricata --build-info | grep Version

Verify Fix Applied:

After patching, run 'suricata --build-info' and confirm version is 7.0.8 or higher

📡 Detection & Monitoring

Log Indicators:

Unusually large DNS log entries
High CPU/memory usage in Suricata logs
DNS decoding errors or timeouts

Network Indicators:

Abnormally large DNS response packets
High volume of DNS traffic to Suricata instances

SIEM Query:

source="suricata" AND (dns.rrname_size>1000 OR dns.decoding_errors>0) | stats count by src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2024-55628

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-405

EPSS Score: 0.54% exploit probability (67.2th percentile)

Published: January 6, 2025

Last Updated: March 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55628, you might also want to check these: