CVE-2024-32664: 
Suricata vulnerability analysis and mitigation

Suricata, a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine, was found to contain a buffer overflow vulnerability (CVE-2024-32664) affecting versions prior to 7.0.5 and 6.0.19. The vulnerability was discovered in May 2024 and involves specially crafted traffic or datasets that can cause a limited buffer overflow (NVD, GitHub Advisory).

The vulnerability resides in Suricata's base64 decoding function, DecodeBase64. In situations where the buffer is full, specially crafted input can trick the function into thinking there is space remaining, allowing the writing of three additional bytes beyond the buffer's bounds. This occurs when handling base64 padding, where if the padding equals three or four (controlled by the attacker), a memory corruption occurs leading to a limited buffer overflow (Securelist).

The vulnerability has been assigned a CVSS base score of 7.3 (HIGH) by NIST and 5.3 (MEDIUM) by GitHub, indicating a significant security risk. The buffer overflow condition could potentially lead to remote code execution, though the exact impact may vary depending on the implementation and environment (NVD).

The vulnerability has been fixed in Suricata versions 6.0.19 and 7.0.5. For users unable to update, several workarounds are available: 1) Do not load untrusted datasets, 2) Do not use rules with base64_decode keyword with bytes option with value 1, 2 or 5, and 3) For version 7.0.x, set app-layer.protocols.smtp.mime.body-md5 to false (GitHub Advisory).

The vulnerability was discovered by Evgeny Legerov of Kaspersky Lab during penetration testing activities. The discovery was part of a broader security assessment that also uncovered vulnerabilities in other components (Securelist).