CVE-2024-55605
Published: 06 January 2025
Summary
CVE-2024-55605 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing the stack overflow vulnerability by mandating upgrades to Suricata 7.0.8 or later.
SC-5 implements denial-of-service protections that limit the effects of crafted oversized inputs causing Suricata crashes.
SI-16 enforces memory protections such as stack canaries and ASLR to mitigate stack overflow exploits in Suricata's transform functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote DoS crash of Suricata IDS/IPS directly enables impairing security tools via crafted network traffic.
NVD Description
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack…
more
overflow causing Suricata to crash. The issue has been addressed in Suricata 7.0.8.
Deeper analysisAI
CVE-2024-55605 is a stack overflow vulnerability in Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. The flaw affects versions prior to 7.0.8 and occurs when a large input buffer is processed by specific transform functions, including to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform. This triggers uncontrolled resource consumption (CWE-400), leading to a crash. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), rated as High severity due to its impact on availability.
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required. By sending crafted network traffic containing oversized inputs to the affected transform functions, an unauthenticated adversary can cause Suricata to crash, resulting in a denial-of-service condition that disrupts IDS/IPS/NSM operations.
The official GitHub security advisory (GHSA-x2hr-33vp-w289) and Open Information Security Foundation Redmine issue 7229 confirm the issue has been addressed in Suricata version 7.0.8. Security practitioners should upgrade to 7.0.8 or later to mitigate the vulnerability.
Details
- CWE(s)