CVE-2024-55628
Published: 06 January 2025
Summary
CVE-2024-55628 is a high-severity Amplification (CWE-405) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of Suricata to version 7.0.8 or later, which tightens DNS hostname length limits and decompression bounds.
Provides denial-of-service protections such as rate limiting and traffic monitoring to block floods of crafted DNS packets that trigger CPU exhaustion in Suricata.
Ensures resource availability by implementing controls to protect Suricata's CPU and disk resources from exhaustion due to oversized DNS decoding and log records.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct application-layer DoS via crafted DNS packets exploiting asymmetric resource consumption in Suricata's DNS decompression and logging.
NVD Description
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and…
more
lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8.
Deeper analysisAI
CVE-2024-55628 affects Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. In versions prior to 7.0.8, the vulnerability stems from improper handling of DNS resource name compression, where small DNS messages can encode very large hostnames. This results in excessive computational costs during decoding and the generation of oversized DNS log records. Existing limits on hostname lengths were deemed too permissive, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-405 (Asymmetric Resource Consumption), CWE-779 (Logging of Excessive Data), and NVD-CWE-Other.
A remote, unauthenticated attacker can exploit this flaw by sending specially crafted DNS packets over the network. The decompression process consumes disproportionate resources, potentially leading to denial-of-service conditions through CPU exhaustion or disk space depletion from massive log entries. No user interaction or privileges are required, making it feasible against internet-exposed Suricata deployments performing DNS inspection.
The issue was addressed in Suricata version 7.0.8 via targeted commits tightening hostname length limits and improving decompression bounds. Official advisories, including GHSA-96w4-jqwf-qx2j on GitHub and Open Information Security Foundation's Redmine ticket #7280, recommend upgrading to 7.0.8 or later. Relevant patches are available in commits such as 19cf0f81335d9f787d587450f7105ad95a648951, 37f4c52b22fcdde4adf9b479cb5700f89d00768d, and 3a5671739f5b25e5dd973a74ca5fd8ea40e1ae2d.
Details
- CWE(s)