CVE-2024-37151

NameCVE-2024-37151
DescriptionSuricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesELA-1162-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
suricata (PTS)jessie, jessie (lts)2.0.7-2+deb8u5vulnerable
stretch3.2.1-1+deb9u1vulnerable
buster, buster (lts)1:4.1.2-2+deb10u2fixed
bullseye1:6.0.1-3vulnerable
bookworm1:6.0.10-1vulnerable
sid, trixie1:7.0.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
suricatasourcejessie(unfixed)end-of-life
suricatasourcestretch(unfixed)end-of-life
suricatasourcebuster1:4.1.2-2+deb10u2ELA-1162-1
suricatasource(unstable)1:7.0.6-1

Notes

[bookworm] - suricata <no-dsa> (Minor issue)
[bullseye] - suricata <no-dsa> (Minor issue)
https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24
https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0 (suricata-6.0.20)
https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b (suricata-7.0.6)
https://redmine.openinfosecfoundation.org/issues/7041
https://redmine.openinfosecfoundation.org/issues/7042

Search for package or bug name: Reporting problems