Security Advisories rsyslog

Potential DoS with malformed TAG

Thursday, September 1st, 2011

If a malformed, severely too long TAG is used in legacy (RFC3164) syslog messages, rsyslog can abort based on the conditions described in this security advisory.

CVE: CVE-2011-3200

Affected Stable Versions:
v4.6.0 to 4.6.7 (inclusive)
v5.2.0 to 5.8.4 (inclusive)

Devel and Beta versions are probably also affected, but are not suitable for production and thus not analyzed in detail. Version 3 is not affeceted. Versions prior to 3 have not been analyzed.

Fix:
Update to 4.6.8 or 5.8.5. The fix is also included in the following non-beta versions: 4.7.5, 5.9.3, 6.1.12, 6.3.5.
For non current affected versions, the following patches can most probably be applied: v4, v5. Note that due to the myriad of different versions we can not provide individual patches for all outdated versions (and in general it is less secure to run outdated versions).

Short Description:
An excessively long TAG inside a legacy syslog message can lead to a two-byte stack buffer overflow. If rsyslog has been compiled with stack guard, this can lead to an abort. This has been seen on 32bit platforms, but not on 64 bit ones (though not outruled there). If not compiled with stack guard, no fatal problem occurs and the tag character is usually just truncated. Exact behaviour depends on the platform and may be slightly different on compilers different from gcc and/or non-Intel architecture machines.

(more…)

Posted in Security Advisories | 1 Comment »

$AllowedSender not honored

Thursday, December 4th, 2008

A primitive way of access control is offered in rsyslog via the $AllowedSender configuration directive. It permits the operator to specify hosts from which messages are being accepted. If the directive is not specified, messages from all hosts are accepted. If it is, the set is limited to those senders that match the configured criteria (this can be network addresses or host name). Access control can be configured for UDP- based and TCP-based protocols independently.

Note that this directive may be used to simplify firewall setup, where the firewall permits incoming traffic from all remote machines on the port in question. Then rsyslog ACLs are used to control who is actually permitted. The down-side of this approach is that the packets reach rsyslog and any vulnerability in it can be exploited. Please note that UDP addresses can easily be spoofed (though thankfully not as easy any longer on the public Internet thanks to more careful configuration on most ISP’s side). So an IP-based access control does not work very well for UDP (neither at the firewall nor at the rsyslog level – but the firewall may have more options at hand, given its comparatively broad knowledge of the perimeter). (more…)

Tags: $AllowedSender, rsyslog
Posted in Security Advisories | No Comments »

SQL Injection Vulnerability in rsyslogd

Friday, September 23rd, 2005

An SQL injection vulnerability was found in all rsyslog releases prior to the ones announced on 2005-09-23. An attacker can send a specifically-crafted syslog message to rsyslogd and potentially take ownership of the machine.

This can be locally exploited if rsyslogd is listening on the local socket. Wes assume it is doing this in almost all cases. It can also be exploited remotely if rsyslogd is listening on network sockets and the attacker is not blocked from sending messages to rsyslogd (e.g. if not blocked by firewalling).

The vulnerability can potentially be used to take full ownership of the computer a compromised rsyslog is running on. The extend of the compromise is depending on the permissions of the user used to connect to MySQL.

We do not know of any case where this was exploited in practice. The bug was discovered during security-testing rsyslogd.

As of this writing, fixed versions exist both for the stable and the development branch. They are named 1.0.1 and 1.10.1. They can be obtained via the following links:

For 1.0.1 stable:
http://www.rsyslog.com/Downloads-index-req-getit-lid-17.phtml

For 1.10.1 development:
http://www.rsyslog.com/Downloads-index-req-getit-lid-18.phtml

As this is a serious vulnerability, we urge all users to update to the fixed version as soon as possible.

If you have turned on NO_BACKSLASH_ESCAPES in MySQL, you MUST make changes to your configuration file. Read DETAILS below to learn more. (more…)

Tags: rsyslog, SQL Injection
Posted in Security Advisories | No Comments »