Name | CVE-2024-37151 |
Description | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | ELA-1162-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
suricata (PTS) | jessie, jessie (lts) | 2.0.7-2+deb8u5 | vulnerable |
stretch | 3.2.1-1+deb9u1 | vulnerable | |
buster, buster (lts) | 1:4.1.2-2+deb10u2 | fixed | |
bullseye | 1:6.0.1-3 | vulnerable | |
bookworm | 1:6.0.10-1 | vulnerable | |
sid, trixie | 1:7.0.7-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
suricata | source | jessie | (unfixed) | end-of-life | ||
suricata | source | stretch | (unfixed) | end-of-life | ||
suricata | source | buster | 1:4.1.2-2+deb10u2 | ELA-1162-1 | ||
suricata | source | (unstable) | 1:7.0.6-1 |
[bookworm] - suricata <no-dsa> (Minor issue)
[bullseye] - suricata <no-dsa> (Minor issue)
https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24
https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0 (suricata-6.0.20)
https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b (suricata-7.0.6)
https://redmine.openinfosecfoundation.org/issues/7041
https://redmine.openinfosecfoundation.org/issues/7042