SB20241016113 - Multiple vulnerabilities in Suricata

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Use of insufficiently random values (CVE-ID: CVE-2024-47188)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use of insufficiently random values in http/byte-ranges byte-range tracking when processing byte-range data. A remote attacker can force large amounts of data into a single hash bucket to cause a denial of service.

The issue results in predictable hash table behavior and can lead to severe performance degradation.

2) Use of insufficiently random values (CVE-ID: CVE-2024-47187)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use of insufficiently random values in the thash hashtable implementation for datasets when loading dataset files or handling tracked traffic. A remote attacker can supply a crafted dataset or traffic patterns that trigger predictable hash table behavior to cause a denial of service.

3) Reachable assertion (CVE-ID: CVE-2024-47522)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to reachable assertion in JA4 processing for TLS/QUIC traffic when handling invalid ALPN values. A remote attacker can send specially crafted TLS or QUIC traffic to cause a denial of service.

The issue is exposed when JA4 matching or logging is enabled.

4) Off-by-one (CVE-ID: CVE-2024-45796)

The vulnerability allows a remote attacker to bypass policy enforcement.

The vulnerability exists due to an off-by-one error in the defragmentation and fragment reassembly logic when processing crafted fragmented packets. A remote attacker can send specially crafted packets to bypass policy enforcement.

Valid traffic may fail reassembly when the issue is triggered.

5) Reachable assertion (CVE-ID: CVE-2024-45795)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to reachable assertion in detect/datasets when parsing traffic with rules using datasets and the unimplemented "unset" option. A remote attacker can send traffic that matches a specially crafted rule to cause a denial of service.

Remediation

Install update from vendor's website.

References

• https://github.com/OISF/suricata/security/advisories/GHSA-qq5v-qcjx-f872
• https://redmine.openinfosecfoundation.org/issues/7289
• https://github.com/OISF/suricata/security/advisories/GHSA-64ww-4f6x-863p
• https://redmine.openinfosecfoundation.org/issues/7209
• https://github.com/OISF/suricata/security/advisories/GHSA-w5xv-6586-jpm7
• https://github.com/advisories/GHSA-w5xv-6586-jpm7
• https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg
• https://redmine.openinfosecfoundation.org/issues/7067
• https://github.com/OISF/suricata/security/advisories/GHSA-6r8w-fpw6-cp9g
• https://redmine.openinfosecfoundation.org/issues/7195