CVE-2024-45795
Suricata detect/datasets: reachable assertion with unimplemented rule option
In short
Suricata can crash when processing network traffic if certain security rules use an unimplemented 'unset' option with datasets. This denial of service affects network monitoring and protection capabilities.
Technical detail
A reachable assertion in Suricata's dataset handling allows remote attackers to trigger a denial of service by sending traffic that matches rules containing the unimplemented 'unset' option. The vulnerability requires the vulnerable rule to be loaded in the active ruleset; impact is availability of the IDS/IPS engine.
Summary generated and translated by AI from the official description.
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use only trusted and well tested rulesets.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
OISF · suricataWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →