librelp stack buffer overflow vulnerability (CVE-2018-1000140)
On Monday March 19th, 2018, the librelp development team was informed by the security team at lgtm.com (Semmle) about a critical security vulnerability in librelp. The vulnerability is a long-standing bug that exists since version 1.1.1 (2013-06-11). It affects the client certificate validation in TLS mode which can lead to a stack buffer overrun and thus remote code execution.
Users of librelp are strongly advised to upgrade their packages as a matter of urgency.
Affected packages and versions
- librelp 1.2.14 down to 1.1.1
Disclosure process
The security team followed best practices when they notified the librelp development team, who subsequently validated their claim. As agreed, one of the researchers applied for a CVE but unfortunately made a mistake in the afternoon of March 20th, which lead to high-level information about the vulnerability becoming public via the Distributed Weakness Filing Project [1].
We have to assume that the vulnerability became publicly known at that point. The librelp team finalized a patch [2] on March 20th, and a new release of librelp was released on March, 21st. It is available in both source and binary form from the project’s package repository. Note that the patch commit message is intentionally vague so as not to attract additional attention while details of the vulnerability were being disclosed.
The vulnerability
The vulnerability is caused by a call to snprintf on line 1205 of tcp.c [3].
This coding pattern is dangerous, because snprintf returns the number of bytes that it would have written if the buffer had been big enough. Most notably, that number is not necessarily equal to the number of bytes that it actually wrote. It is a common mistake to assume that snprintf returns the number of bytes written. In certain situations and if the data provided to snprintf is controlled by an attacker, this can lead to a stack overflow and the potential to remotely execute code. The code analysis provided by lgtm.com detects potentially dangerous uses of snprintf in open source projects: https://lgtm.com/rules/1505913226124/
Unfortunately, librelp is indeed vulnerable. In order to exploit this vulnerability, an attacker needs to be able to connect to a TLS-enabled RELP logging interface provided by librelp (for example, as can be provided by rsyslog). The attacker then needs to supply an X.509 certificate containing more than 32KB of “subject alt names”. One of these strings needs to overlap the 32KB boundary. For example, if one of the strings starts 10 bytes before the end of the 32KB buffer but is 100 bytes long, then the loop in librelp’s tcp.c will write the first 10 bytes of the string to the buffer but still increment iAllNames by 100. On the next iteration of the loop, the next string will be written at a starting offset of 32KB + 90. An attacker can control the size of this “gap” by varying the length of the overlapping string and utilize it to control exactly which part of the stack they want to overwrite. In particular, this means that they can avoid overwriting the stack canary, which makes the vulnerability significantly easier to exploit.
The teams at librelp and lgtm.com have not yet released a proof-of-concept exploit for this vulnerability.
Severity and mitigation
In the opinion of the librelp/rsyslog development team:
- the vulnerability is unquestionably critical as it could lead to RCE
- depending on GnuTLS, it may be hard to actually exploit the vulnerability
- the severity is mitigated if security recommendations are followed
The use of GnuTLS
librelp uses GnuTLS for handling TLS connections. GnuTLS’s behaviour and handling of overly large fields therefore influences this vulnerability in librelp.
The maximum size of the name fields in question is specified in RFC5280 as follows:
Section 4.1:
SubjectAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
Appendix B imposes the following “restriction”:
The construct “SEQUENCE SIZE (1..MAX) OF” appears in several ASN.1 constructs. A valid ASN.1 sequence will have zero or more entries. The SIZE (1..MAX) construct constrains the sequence to have at least one entry. MAX indicates that the upper bound is unspecified.
Implementations are free to choose an upper bound that suits their environment.
As such, much depends on the actual GnuTLS binary that is linked to librelp. If it imposes a limit of 32KB (or less), the vulnerability cannot be exploited. We are currently trying to understand the default behavior of GnuTLS in this regard and will update this advisory when we receive new information.
RFC5280 Sect. 4.2.1.6 imposes restrictions on which characters can be used inside the “subject alternative name”. Brief review indicates that some byte sequences are not permitted. If so, and if GnuTLS implements these validations, the ability of an attacker to inject arbitrary code is reduced, making it harder to craft a workable exploit.
Nevertheless, it should be assumed that GnuTLS does not provide any safeguards. Even if there are, and if those safeguards are enabled by default, we have to consider the possibility of any checks being disabled in a specific binary.
Trusted networks
Regarding the mitigation of the severity of this vulnerability: users are strongly advised not to expose logging port like syslog TCP and RELP to a public network; these ports are best firewalled to make them available only on a dedicated network. If that advice is followed, the risk is significantly reduced to already-compromised systems on a trusted network.
However, some logs-as-a-service providers do expose RELP on the public Internet. The rsyslog team has been in touch with and/or reviewed documentation for leading providers. Those we checked either do not expose RELP at all or do not support TLS with RELP, and are therefore not at risk.
Credit
- Bas van Schaik; lgtm.com / Semmle
- Kevin Backhouse; lgtm.com / Semmle
References
[1] https://docs.google.com/spreadsheets/d/1PlDOsZ4Q36JU4Dz9zyBB2F3814dScppCRCe1muCT7JI
[2] https://github.com/rsyslog/librelp/commit/2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf
[3] Affected line in tcp.c (ibrelp version 1.2.14): https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205
librelp stack buffer overflow vulnerability (CVE-2018-1000140)
On Monday March 19th, 2018, the librelp development team was informed by the security team at lgtm.com (Semmle) about a critical security vulnerability in librelp. The vulnerability is a long-standing bug that exists since version 1.1.1 (2013-06-11). It affects the client certificate validation in TLS mode which can lead to a stack buffer overrun and thus remote code execution.
Users of librelp are strongly advised to upgrade their packages as a matter of urgency.
Affected packages and versions
- librelp 1.2.14 down to 1.1.1
Disclosure process
The security team followed best practices when they notified the librelp development team, who subsequently validated their claim. As agreed, one of the researchers applied for a CVE but unfortunately made a mistake in the afternoon of March 20th, which lead to high-level information about the vulnerability becoming public via the Distributed Weakness Filing Project [1].
We have to assume that the vulnerability became publicly known at that point. The librelp team finalized a patch [2] on March 20th, and a new release of librelp was released on March, 21st. It is available in both source and binary form from the project’s package repository. Note that the patch commit message is intentionally vague so as not to attract additional attention while details of the vulnerability were being disclosed.
The vulnerability
The vulnerability is caused by a call to snprintf on line 1205 of tcp.c [3].
This coding pattern is dangerous, because snprintf returns the number of bytes that it would have written if the buffer had been big enough. Most notably, that number is not necessarily equal to the number of bytes that it actually wrote. It is a common mistake to assume that snprintf returns the number of bytes written. In certain situations and if the data provided to snprintf is controlled by an attacker, this can lead to a stack overflow and the potential to remotely execute code. The code analysis provided by lgtm.com detects potentially dangerous uses of snprintf in open source projects: https://lgtm.com/rules/1505913226124/
Unfortunately, librelp is indeed vulnerable. In order to exploit this vulnerability, an attacker needs to be able to connect to a TLS-enabled RELP logging interface provided by librelp (for example, as can be provided by rsyslog). The attacker then needs to supply an X.509 certificate containing more than 32KB of “subject alt names”. One of these strings needs to overlap the 32KB boundary. For example, if one of the strings starts 10 bytes before the end of the 32KB buffer but is 100 bytes long, then the loop in librelp’s tcp.c will write the first 10 bytes of the string to the buffer but still increment iAllNames by 100. On the next iteration of the loop, the next string will be written at a starting offset of 32KB + 90. An attacker can control the size of this “gap” by varying the length of the overlapping string and utilize it to control exactly which part of the stack they want to overwrite. In particular, this means that they can avoid overwriting the stack canary, which makes the vulnerability significantly easier to exploit.
The teams at librelp and lgtm.com have not yet released a proof-of-concept exploit for this vulnerability.
Severity and mitigation
In the opinion of the librelp/rsyslog development team:
- the vulnerability is unquestionably critical as it could lead to RCE
- depending on GnuTLS, it may be hard to actually exploit the vulnerability
- the severity is mitigated if security recommendations are followed
The use of GnuTLS
librelp uses GnuTLS for handling TLS connections. GnuTLS’s behaviour and handling of overly large fields therefore influences this vulnerability in librelp.
The maximum size of the name fields in question is specified in RFC5280 as follows:
Section 4.1:
SubjectAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
Appendix B imposes the following “restriction”:
The construct “SEQUENCE SIZE (1..MAX) OF” appears in several ASN.1 constructs. A valid ASN.1 sequence will have zero or more entries. The SIZE (1..MAX) construct constrains the sequence to have at least one entry. MAX indicates that the upper bound is unspecified.
Implementations are free to choose an upper bound that suits their environment.
As such, much depends on the actual GnuTLS binary that is linked to librelp. If it imposes a limit of 32KB (or less), the vulnerability cannot be exploited. We are currently trying to understand the default behavior of GnuTLS in this regard and will update this advisory when we receive new information.
RFC5280 Sect. 4.2.1.6 imposes restrictions on which characters can be used inside the “subject alternative name”. Brief review indicates that some byte sequences are not permitted. If so, and if GnuTLS implements these validations, the ability of an attacker to inject arbitrary code is reduced, making it harder to craft a workable exploit.
Nevertheless, it should be assumed that GnuTLS does not provide any safeguards. Even if there are, and if those safeguards are enabled by default, we have to consider the possibility of any checks being disabled in a specific binary.
Trusted networks
Regarding the mitigation of the severity of this vulnerability: users are strongly advised not to expose logging port like syslog TCP and RELP to a public network; these ports are best firewalled to make them available only on a dedicated network. If that advice is followed, the risk is significantly reduced to already-compromised systems on a trusted network.
However, some logs-as-a-service providers do expose RELP on the public Internet. The rsyslog team has been in touch with and/or reviewed documentation for leading providers. Those we checked either do not expose RELP at all or do not support TLS with RELP, and are therefore not at risk.
Credit
- Bas van Schaik; lgtm.com / Semmle
- Kevin Backhouse; lgtm.com / Semmle
References
[1] https://docs.google.com/spreadsheets/d/1PlDOsZ4Q36JU4Dz9zyBB2F3814dScppCRCe1muCT7JI
[2] https://github.com/rsyslog/librelp/commit/2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf
[3] Affected line in tcp.c (ibrelp version 1.2.14): https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205
librelp 1.2.15
librelp 1.2.15 [download]
This new release of librelp provides several bugfixes and can be built on Solaris and AIX.
For more details, please take a look at the changelog below.
– made build on AIX
Thanks to Philippe Duveau for providing the patches
– bugfix: invalid handling of snprintf() return code
– bugfix: invalid assert predicate
an assert could change status variable due to typo, so in debug
mode processing could fail.
thanks to github user KatMisato for alerting us
fixes https://github.com/rsyslog/librelp/issues/66
– some code cleanup
– bugfix: error message on open error was truncated
The “connection already open” error message when trying to open
an already open connection was truncated due to too-small size
specified.
Thanks to rsyslog forum user AlanR for the problem report.
sha256sum: a931832d9056660feee76d52195b21d4e9e06d5ec8e96b26af44e998529da999
rsyslog 8.33.1 (v8-stable) released
Today, we release rsyslog 8.33.1. The 8.33.0 tarball release was actually pre-8.33.0. Thus it did not contain all features. This alone made a re-release
necessary.
https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog
Download:
http://www.rsyslog.com/downloads/download-v8-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl
rsyslog 8.33.0 (v8-stable) released
Today, we release rsyslog 8.33.0. This release has a number of changes, but most of these are under the hood. Some of the more obivous changes are the new include() script object and template json container. Also, rsyslog now has better support for running in a container environment. The full list of changes to rsyslog can be reviewed in the Changelog.
https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog
Download:
http://www.rsyslog.com/downloads/download-v8-stable/
As always, feedback is appreciated.
Best regards,
Florian Riedl
New Logo Selected
The logo was originally contributed in 2014 by “robert s”, whom unfortunately I am no longer able to contact. While before we never officially adopted it, it went into widespread use and is already often used to represent rsyslog. So in a sense the now-official selection let’s us keep consistent.
We are glad to have the community decision. I am right now implementing the new logo all over rsyslog web spaces. It will also be available via the rsyslog website github project (PR just created).
Many thanks to all who voted. It was a pleasant experience for us. This may have also set stage for future polls on different topics.
What are your thoughts regarding current and potential rsyslog support channels?
Overview
Traditionally the rsyslog community has sought and provided support through three main channels:
- mailing list
- forums
- ticketing system (at one time Bugzilla, now GitHub)
Over the years, the community support options have shifted to the point that we are considering retiring the forums in order to best direct users that post there to other, more current options that better fit their needs. It would appear that aside from specific cases, the time of the web forum has passed.
That said, we would like to get your feedback to best determine the way to move forward. What follows are some initial ideas to get the conversation started. Please feel free to respond here, via Twitter, the mailing list or on GitHub. Thank you for your time.
Potential Support options
The following items are all “whiteboard” topics, listed in no real order in an effort to start discussion. Neither the order or presence in the list indicates that a decision has already been made by the team to pursue the support option. Please feel free to suggest your own entries.
Keep the forums, send notifications of new posts made on the forums to the mailing list
- Note: Attempts to respond to those notifications would not result in the replies being posted to the original topic on the forums.
- Would this truly result in any additional responses to those forum posts than are currently being provided now?
Set forums to read-only, direct visitors to GitHub for support
Set forums to read-only, direct visitors to StackOverflow
It would appear there is already solid participation there for questions tagged with rsyslog:
https://stackoverflow.com/questions/tagged/rsyslog
Official Twitter presence
followers are encouraged to retweet rsyslog related questions, guides, etc to their followers.
This is actually a “trick” entry of sorts! We already have a Twitter account that you can follow and interact with: @rsyslog
- Do you already follow that account?
- Would you retweet content from others?
- Would you respond to help requests that are retweeted
- If links to active GitHub issues are posted, will you take the time to go view them?
Official Facebook presence
Would you participate in discussions and support requests made there?
IRC, XMPP, Slack, …
- Would you participate?
- Do you feel this could replace the forums?
- Would this be more useful to you than the mailing list?
Help select a logo…
We need a new, a real logo. We have some candidates. Note that logo 1 was originally contributed in 2014 by “robert s” (whom I no longer able to contact…). Unfortunately, we did never officially adopt it, primarily due to failure on my part. Nevertheless it got pretty popular on the Internet and is often associated with rsyslog.
Please let us know what you like by leaving either a comment here or posting to the mailing list. Alternatively, you can also cast your ballot via this online vote form.
We are of course open for any additional suggestions. We are also not upset if you let us know that we are not great logo designers – we know we are not ;-)
In order to avoid past errors, I ask anyone to provide feedback within one week, so we will draw a “winner” by Feb, 8th 2018. To help facilitate the decision I will experimentally put logo 1 into some places tomorrow if there is no strong objection in doing so.
If you want to have a look at our old old ugly logo have a look at e.g. https://hub.docker.com/u/rsyslog/)
My personal 2cts: I as rsyslog maintainer (@rgerhards) have to admit that I have a strong preference for either logo 1 or logo 2. Pro-logo 1 speaks IMHO that it is already associated with rsyslog. Together with its stylish simplicity, this makes it an excellent choice. I also need to say that I am a bit skeptic in regard to logo 6, simply because it breaks “r” and “syslog”.
RSyslog Windows Agent 4.3c Released
Adiscon is proud to announce the 4.3c release of Rsyslog Windows Agent.
This release contains some a minor bugfix.
Detailed information can be found in the version history below.
Build-IDs: Service 4.3.0.178, Client 4.3.0.255
Version 4.3c is a free download. Customers with existing 3.x keys can contact our Sales department for upgrade prices. If you have a valid Upgrade Insurance ID, you can request a free new key by sending your Upgrade Insurance ID to sales@adiscon.com. Please note that the download enables the free 30-day trial version if used without a key – so you can right now go ahead and evaluate it.
Bugfixes |
|
RSyslog Windows Agent 4.3b Released
Adiscon is proud to announce the 4.3b release of Rsyslog Windows Agent.
This release contains some a minor bugfix.
Detailed information can be found in the version history below.
Build-IDs: Service 4.3.0.177, Client 4.3.0.255
Features |
Bugfixes |
|
Version 4.3b is a free download. Customers with existing 3.x keys can contact our Sales department for upgrade prices. If you have a valid Upgrade Insurance ID, you can request a free new key by sending your Upgrade Insurance ID to sales@adiscon.com. Please note that the download enables the free 30-day trial version if used without a key – so you can right now go ahead and evaluate it.