CVE-2024-37151
Suricata defrag: IP ID reuse can lead to policy bypass
In short
Suricata fails to properly reassemble fragmented network packets that reuse the same IP ID, allowing malicious traffic to bypass security policies. This flaw lets attackers evade detection by fragmenting packets in a way the system cannot properly reconstruct.
Technical detail
The defragmentation engine in Suricata mishandles multiple fragmented IP packets sharing identical ID values, resulting in reassembly failure. This allows attackers to craft fragmented packets that evade policy checks, particularly in network monitoring scenarios. Mitigation requires upgrading to versions 7.0.6 or 6.0.20, or enabling defrag on af-packet interfaces.
Summary generated and translated by AI from the official description.
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine.
Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
OISF · suricataWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6bhttps://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24https://lists.debian.org/debian-lts-announce/2025/03/msg00029.htmlhttps://redmine.openinfosecfoundation.org/issues/7041https://redmine.openinfosecfoundation.org/issues/7042