Cyber Resilience

CVE-2024-55629

High

Published: 06 January 2025

Published
06 January 2025
Modified
31 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0052 40.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-55629 is a high-severity Incomplete Model of Endpoint Features (CWE-437) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-55629 affects Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. In versions prior to 7.0.8, the vulnerability arises when processing TCP streams containing urgent data (also known as out-of-band data). This causes Suricata to analyze the data differently from the applications at the TCP endpoints, potentially leading to detection evasions. The issue is classified under CWE-437 (Incomplete Model Error) and CWE-436 (Interpretation Conflict), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact without confidentiality or availability disruption.

Remote attackers with network access can exploit this vulnerability without authentication or user interaction. By crafting TCP packets with the urgent flag and associated out-of-band data, adversaries can manipulate how Suricata interprets the stream, causing it to miss or incorrectly classify malicious payloads that endpoint applications process normally. This enables evasion of security rules, allowing attacks like command injection, data exfiltration, or other exploits to bypass Suricata's detection and prevention capabilities.

Mitigation is addressed in Suricata 7.0.8 through configurable handling of TCP urgent data, as detailed in the official GitHub security advisory (GHSA-69wr-vhwg-84h2) and related commits. Users should upgrade to version 7.0.8 or later. In IPS mode, a workaround involves deploying a drop rule such as "drop tcp any any -> any any (sid:1; tcp.flags:U*;) " to discard packets with the urgent flag set, preventing exploitation until patching is feasible. Additional details are available in the Open Information Security Foundation's Redmine issue tracker (issue 7411).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the…

more

TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the packets with urgent flag set.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
T1071 Application Layer Protocol Command And Control
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic.
Why these techniques?

Vulnerability enables IDS/IPS evasion via TCP urgent data interpretation conflict (CWE-436/437), directly facilitating indicator blocking and application-layer protocol abuse to bypass detection of payloads.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55628Same product: Oisf Suricata
CVE-2026-22259Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-22258Same product: Oisf Suricata
CVE-2026-31933Same product: Oisf Suricata
CVE-2026-31932Same product: Oisf Suricata
CVE-2026-22264Same product: Oisf Suricata
CVE-2026-31931Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2024-55605Same product: Oisf Suricata

Affected Assets

oisf
suricata
≤ 7.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the Suricata flaw by patching to version 7.0.8 or later to correct TCP urgent data handling and prevent evasions.

prevent

Mandates secure configuration settings for Suricata, including TCP urgent data options and drop rules for urgent flag packets to block exploitation.

detect

Enables detection of vulnerable Suricata versions through vulnerability scanning and monitoring of advisories like GHSA-69wr-vhwg-84h2.

References