Victorjulien

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 8.0.3 Suricata versions prior to 7.0.14 **Description** Suricata is a network IDS, IPS and NSM engine. Inefficiencies in extended forwarding format (xff) handling, particularly for alerts that are not triggered within a transaction (tx), can cause significant performance degradation. Disabling XFF support in the eve configuration can serve as a workaround. The setting is disabled by default. **Recommendations** Update to Suricata version 8.0.3 or later. Update to Suricata version 7.0.14 or later. Disable XFF support in the eve configuration as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** Suricata versions 8.0.0 through 8.0.2 **Description** Suricata, a network IDS, IPS and NSM engine, is susceptible to a stack overflow that can cause the software to crash. This issue affects versions starting from 8.0.0 and prior to 8.0.3. As a temporary measure, utilizing default values for the `request-body-limit` and `response-body-limit` parameters can mitigate the issue. **Recommendations** Update to Suricata version 8.0.3 or later. As a temporary workaround, use default values for the `request-body-limit` and `response-body-limit` parameters.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 8.0.3 Suricata versions prior to 7.0.14 **Description** Suricata is a network IDS, IPS and NSM engine. A stack buffer overflow can occur while saving a dataset due to the use of a stack buffer to prepare the data. If the data in the dataset is too large, this can lead to a stack overflow. Exploitation of this issue may allow a remote attacker to cause a denial of service or potentially achieve code execution. **Recommendations** Update Suricata to version 8.0.3 or later. Update Suricata to version 7.0.14 or later. As a workaround, do not use rules with datasets `save` nor `state` options.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 8.0.1 **Description** Suricata, a network IDS, IPS and NSM engine, contains a flaw where rules utilizing the `ldap.responses.attribute type` keyword, in conjunction with transforms, can cause a stack buffer overflow. This overflow can occur during Suricata startup or when rules are reloaded. The issue is present in version 8.0.0. **Recommendations** Disable rules that use `ldap.responses.attribute type` and transforms. Update to version 8.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Suricata versions (affected versions not specified) **Description** The issue concerns a problem where the `decode base64` signature can cause large memory allocation. This could potentially lead to issues with the Suricata package in Debian Linux. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Suricata versions (affected versions not specified) **Description** The issue is related to the af-packet defrag option, which can lead to truncated packets. This affects Suricata in Debian Linux. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Suricata versions (affected versions not specified) **Description** The issue is related to high memory usage caused by the hashsize setting via rules in Suricata. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Suricata versions (affected versions not specified) **Description** The issue is related to an infinite loop that can occur with negated pcre and an indefinite recursion limit setting. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 7.0.8 **Description** The issue is related to asymmetric resource consumption due to incorrect compression of DNS resource names when processing DNS messages. This can be exploited by a remote attacker to cause a denial of service. The problem arises when small DNS messages contain very large hostnames, which can be costly to decode and lead to very large DNS log records. Although limits are in place, they were too generous, allowing for potential exploitation. **Recommendations** For Suricata versions prior to 7.0.8, update to version 7.0.8 to address the issue. As a temporary workaround, consider restricting the size of DNS messages or limiting the decoding of large hostnames to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Suricata versions prior to 7.0.7 Description: Suricata is a network Intrusion Detection System, Intrusion Prevention System, and Network Security Monitoring engine. A logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior. Recommendations: For versions prior to 7.0.7, update to version 7.0.7 to resolve the issue. As a temporary workaround, consider restricting the handling of fragmented packets until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 7.0.3 **Description** The issue is related to the rules inspecting HTTP2 headers in Suricata, which can be bypassed by crafted traffic. This can potentially allow a remote attacker to compromise the integrity of protected information. The vulnerability has been patched in version 7.0.3. **Recommendations** For Suricata versions prior to 7.0.3, update to version 7.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTTP2 headers inspection rules until a patch is applied.