Suricata, a popular network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring engine is found to have a vulnerability in versions prior to the release of 7..3. The issue is related to excessive memory use during the pgsql parsing, which might lead to crashes due to Out-Of-Memory (OOM) issues. This vulnerability, classified as CVE-2024-23835, is patched in Suricata 7..3. Users can also adopt a workaround by disabling the pgsql app layer parser.
Introduction
Intrusion Detection Systems and Intrusion Prevention Systems are essential tools for securing networks. Suricata is one such open-source IDS, IPS, and Network Security Monitoring engine. It offers real-time detection and prevention capabilities against cyber threats. However, a recent vulnerability has been identified in its pgsql parser that could lead to OOM-related crashes, which may affect the overall security and performance of the system.
Details of Exploit
The vulnerability, designated as CVE-2024-23835, has its roots in the excessive memory usage during the parsing of pgsql connections. Due to this issue, the affected system might run out of memory and experience crashes. It primarily affects Suricata versions lower than 7..3.
Links to Original References
- Suricata 7..3 Release Notes and Patch: https://suricata.readthedocs.io/en/suricata-7..3/releases/7..3.html
- CVE-2024-23835 Advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23835
Code Snippet
The problem in question exists in the affected Suricata versions' pgsql parser. A possible workaround is to disable the pgsql app layer parser in the Suricata configuration file.
# suricata.yaml
app-layer:
protocols:
pgsql:
enabled: no
By adding the above snippet to the suricata.yaml configuration file and disabling the pgsql app layer parser, users can avoid OOM-related crashes due to this vulnerability. However, it is crucial to upgrade the Suricata instance to the latest version, i.e., 7..3, for optimal security and performance.
Mitigation and Recommendations
To safeguard against this vulnerability, users should immediately upgrade to Suricata 7..3. This patched version addresses the CVE-2024-23835 vulnerability and ensures that the pgsql parsing memory use remains within safe limits.
As mentioned above, an alternative is to disable the pgsql app layer parser in the configuration file until the Suricata instance can be upgraded. However, this workaround might reduce the system's overall visibility into pgsql traffic.
Conclusion
CVE-2024-23835 is a significant vulnerability affecting Suricata instances with versions prior to 7..3. To ensure full protection against potential exploits and crashes, it is vital to upgrade to the secure version. Users should regularly monitor and assess their systems for vulnerabilities to maintain network security and stay protected against cyber threats.
Timeline
Published on: 02/26/2024 16:27:57 UTC
Last modified on: 03/07/2024 03:15:06 UTC