Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-47187

CVE-2024-47187: Oisf Suricata DOS Vulnerability

CVE-2024-47187 is a denial of service flaw in Oisf Suricata caused by missing random seed initialization that leads to predictable hash table behavior. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2024-47187 Overview

CVE-2024-47187 affects Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring engine maintained by the Open Information Security Foundation (OISF). Versions prior to 7.0.7 fail to initialize a random seed for the thash data structure used by datasets. The predictable hash table behavior allows attackers to craft inputs that trigger worst-case algorithmic complexity. Dataset file loading consumes excessive time, and runtime traffic handling degrades significantly. The defect is categorized under [CWE-330] Use of Insufficiently Random Values and [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.

Critical Impact

Attackers can supply crafted datasets or traffic that causes hash collisions, exhausting CPU and memory resources on the Suricata sensor and degrading network monitoring capability.

Affected Products

  • OISF Suricata versions prior to 7.0.7
  • Deployments loading datasets from untrusted sources
  • Rulesets that use dataset rules to track live traffic

Discovery Timeline

  • 2024-10-16 - CVE-2024-47187 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-47187

Vulnerability Analysis

Suricata implements datasets, a feature that lets rule authors track values such as IP addresses, domains, or strings across traffic. Datasets are backed by an internal hash table referred to as thash. In versions before 7.0.7, the hash seed used by thash is not initialized with a random value at startup. The hashing behavior is therefore deterministic and reproducible across runs and across deployments.

An attacker who can predict the hash function can engineer inputs that collide into the same bucket. Hash table operations then degrade from average-case constant time to worst-case linear time. The resulting algorithmic complexity attack consumes CPU during dataset loading and during live traffic inspection. A sensor under load drops packets, falls behind on flow tracking, or stops generating alerts.

Root Cause

The root cause is a missing call to seed the thash random value during initialization. Cryptographic randomness should anchor any hash table that processes attacker-influenced input. Without a fresh seed per process, collision sets are computable offline and reusable against every Suricata instance.

Attack Vector

Two exploitation paths exist. First, an operator who loads a dataset file from an untrusted source can be served a file whose entries are pre-computed to collide, stalling dataset ingestion. Second, when rules use datasets to track live traffic, a remote attacker can send packets containing values chosen to collide inside thash. The attack requires no authentication and no user interaction. Refer to the GitHub Security Advisory GHSA-64ww-4f6x-863p and the OISF issue tracker for upstream technical details.

Detection Methods for CVE-2024-47187

Indicators of Compromise

  • Suricata processes showing sustained high CPU utilization without a corresponding increase in traffic volume
  • Abnormally long dataset load times reported in suricata.log during startup or rule reload
  • Increasing capture.kernel_drops or tcp.reassembly_gap counters in stats.log while throughput remains stable
  • Dataset files received from external feeds containing unusually clustered or repetitive entries

Detection Strategies

  • Compare the running Suricata version reported by suricata --build-info against the fixed release 7.0.7 or later
  • Audit suricata.yaml and rule files for dataset keywords sourced from third-party or untrusted feeds
  • Baseline normal dataset load duration and alert when load time deviates beyond expected thresholds
  • Correlate sensor CPU spikes with rule reload events and traffic samples matching dataset-tracked fields

Monitoring Recommendations

  • Forward Suricata stats.log and eve.json to a centralized analytics platform for time-series analysis
  • Alert on packet drop rate increases that coincide with rule or dataset reloads
  • Track integrity of dataset files retrieved from external sources using cryptographic hashes
  • Monitor SIEM telemetry for gaps in alert volume that may indicate sensor degradation

How to Mitigate CVE-2024-47187

Immediate Actions Required

  • Upgrade all Suricata sensors to version 7.0.7 or later
  • Inventory every ruleset and dataset feed currently loaded by production sensors
  • Remove or quarantine dataset files obtained from sources that cannot be cryptographically verified
  • Restart Suricata after upgrade to ensure the corrected seeding logic is active

Patch Information

OISF addressed the issue in Suricata 7.0.7 by properly initializing the random seed used by the thash structure. Operators should obtain the release from the official OISF distribution channels and validate package signatures before deployment. Details of the fix are documented in the GitHub Security Advisory.

Workarounds

  • Avoid loading datasets from untrusted or unauthenticated sources until the upgrade is complete
  • Disable or remove rules that use the dataset keyword to track live traffic values
  • Restrict write access to dataset files on disk so only trusted automation can update them
  • Place network controls in front of management interfaces that ingest external rule or dataset feeds

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne