Bug 899756 (CVE-2014-3683)

Summary: VUL-0: CVE-2014-3683: rsyslog/syslogd: remote syslog PRI vulnerability - incomplete fix for CVE-2014-3634
Product: [openSUSE] openSUSE Tumbleweed Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: Andreas.Stieger, krahmer, meissner, mt, schwab, security-team, werner
Version: 201409*   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/
See Also: http://bugzilla.suse.com/show_bug.cgi?id=897262
Whiteboard: maint:released:sle11-sp1:59283 maint:released:sle11-sp3:59284
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 897262    

Description Andreas Stieger 2014-10-04 19:36:46 UTC 
http://www.rsyslog.com/remote-syslog-pri-vulnerability-cve-2014-3683/

emote syslog PRI vulnerability
===============================

CVE: CVE-2014-3683

See also CVE: CVE-2014-3634

Status of this report
———————
FINAL

Reporter
——-
mancha <mancha1@zoho.com>, intial detection and analysis
Rainer Gerhards <rgerhards@adiscon.com>, rsyslog project lead

Affected
——–
- rsyslog, most probably all versions (checked v3-stable and above)
- sysklogd (checked most recent versions)

Short Description
—————–
While preparing a fix for CVE-2014-3634 for sysklogd, mancha discovered and
privately reported that the initial rsyslog fix set was incomplete. It did
not cover cases where PRI values > MAX_INT caused integer overflows
resulting in negative values.

Root Cause
———-
A while parsing the syslog message’s PRI value, an integer overlow can
happen (for PRI > MAX_INT), which may cause negative PRI values. The
solutions provided in CVE-2014-3634 do not handle that case.

Effect in Practice
——————

General
~~~~~~~
Almost all distributions do ship rsyslog without remote reception by
default and almost all distros also put firewall rules into place that
prevent reception of syslog messages from remote hosts (even if rsyslog
would be listening). With these defaults, it is impossible to trigger
the vulnerability in v7 and v8. Older versions may still be vulnerable
if a malicious user writes to the local log socket.

Even when configured to receive remote message (on a central server),
it is good practice to protect such syslog servers to accept only
messages from trusted peers, e.g. within the relay chain. If setup in
such a way, a trusted peer must be compromised to send malfromed
messages. This further limits the magnitude of the vulnerability.

If, however, any system is permitted to send data unconditionally to
the syslogd, a remote attack is possible.

sysklogd
~~~~~~~~
A segfault seems possible in sysklogd if a negative facility value (due to
integer overrun in facility parsing) is used. This could be used to
carry out a remote DoS.

rsyslogd
~~~~~~~~
Rsyslogd experiences the same problem as sysklogd.

As in CVE-2014-3634, rsyslog v7 and v8 have an elevated risk due to some
tables lookups used during writing. For details see CVE2014-3634.
Contrary to CVE-2014-3634, rsyslog prior to v6 is also likely to segfault.

Note that a segfault of rsyslog can cause message loss. There are multiple
scenarios for this, but likely ones are:

- reception via UDP, where all messages arriving during downtime are lost
- corruption of disk queue structures, which can lead to loss of all disk
queue contents (manual recovery is possible).

This list does not try to be complete. Note that disk queue corruption is likely
to occur in default settings, because the important queue information file (.qi)
is only written on successful shutdown. Without a valid .qi file, queue message
files cannot be processed.

How to Exploit
————–
A syslog message with a PRI > MAX_INT needs to be sent and the resulting
overflow must lead to a negative value. It is usually sufficient
to send just the PRI as in this example

""

Severity
——–
Given the fact that multiple changes must be made to default system configurations
and potential problems we classify the severity of this vulnerability as

MEDIUM

Note that the probability of a successful attack is on LOW. However, the risk of
message loss is HIGH in those rare instances where an attack is successful. As
mentioned above, it cannot totally be outruled that remote code injection is
possible using this vulnerability.

Patches
——-

sysklogd
~~~~~~~~
A patch for version 1.5 is available at: from mancha

rsyslog
~~~~~~~
Patches are available for versions known to be in wide-spread use.

Version 8.4.2 is not vulnerable. Version 7.6.7, while no longer being project
supported, received a patch and is also not vulnerable.

Versions 8.4.1 and 7.6.6 do NOT handle integer overflows and resulting negative
PRI values correctly. So upgrading to them is NOT a sufficient solution.

The rsyslog project also provides patches for older versions 5 and 3. This is
purely a convenience to those that still run these very outdated versions.
Note that these patches address the segfault issue. They do NOT offer all features
of the v7/8 series, as this would require considerate code changes. Most
importantly, the "invld" facility is not available in the v3 patch. Also,
the dead-version patches do not try to assing a specific severity to messages
with invalid PRI values nor do they prevent parsing those messages. In general,
it is suggested to upgrade to the currently supported version 8.4.2.

The patch is available: http://www.rsyslog.com/files/download/rsyslog/CVE-2014-3683-pri-vuln.tar.gz

Special thanks to mancha for his suggestions on how to fix the problem. The
core idea went into the rsyslog patches.
Comment 1 Bernhard Wiedemann 2014-10-04 21:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (899756) was mentioned in
https://build.opensuse.org/request/show/253950 Factory / rsyslog
Comment 2 Swamp Workflow Management 2014-10-04 22:00:17 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-10-06 14:00:24 UTC 
This is an autogenerated message for OBS integration:
This bug (899756) was mentioned in
https://build.opensuse.org/request/show/254338 13.1 / rsyslog
Comment 6 Bernhard Wiedemann 2014-10-06 15:00:24 UTC 
This is an autogenerated message for OBS integration:
This bug (899756) was mentioned in
https://build.opensuse.org/request/show/254339 12.3 / rsyslog
Comment 9 Bernhard Wiedemann 2014-10-09 14:01:37 UTC 
This is an autogenerated message for OBS integration:
This bug (899756) was mentioned in
https://build.opensuse.org/request/show/254850 Factory / syslogd
Comment 10 Sebastian Krahmer 2014-10-14 12:51:23 UTC 
released
Comment 11 Swamp Workflow Management 2014-10-14 22:05:20 UTC 
SUSE-SU-2014:1294-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 890228,897262,899756
CVE References: CVE-2014-3634,CVE-2014-3683
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    rsyslog-5.10.1-0.11.1
SUSE Linux Enterprise Server 11 SP3 (src):    rsyslog-5.10.1-0.11.1
Comment 12 Swamp Workflow Management 2014-10-15 14:05:19 UTC 
openSUSE-SU-2014:1297-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 890228,897262,899756
CVE References: CVE-2014-3634,CVE-2014-3683
Sources used:
openSUSE 13.1 (src):    rsyslog-7.4.7-2.20.1
Comment 13 Swamp Workflow Management 2014-10-15 14:05:56 UTC 
openSUSE-SU-2014:1298-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 890228,897262,899756
CVE References: CVE-2014-3634,CVE-2014-3683
Sources used:
openSUSE 12.3 (src):    rsyslog-7.2.7-2.13.1
Comment 14 Swamp Workflow Management 2014-11-17 14:05:18 UTC 
SUSE-SU-2014:1438-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 890228,899756
CVE References: CVE-2014-3634,CVE-2014-3683
Sources used:
SUSE Linux Enterprise Server 12 (src):    rsyslog-8.4.0-5.1
SUSE Linux Enterprise Desktop 12 (src):    rsyslog-8.4.0-5.1