About syslog-ng
syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods to collect log data. Due to its capabilities in filtering, parsing, transforming and routing log data, it is frequently used to build enterprise logging middleware, that takes log data from producers and delivers them to the SIEM or Security Analytics products.
Impact
Remote attackers can cause a Denial of Service within syslog-ng by issuing a specially crafted syslog message to a syslog-ng source accepting RFC3164 style (traditional BSD syslog) messages.
A successful exploit will cause a syslog-ng worker thread that is processing the message to start spinning in a tight loop and consuming 100% CPU time.
syslog-ng usually has multiple worker threads (one per CPU core), processing will continue as long as at least one worker thread is running, however by repeating the exploit a number of times, all such threads can be triggered to enter the erroneous state, eventually causing processing to stop entirely.
Apart from a Denial of Service, the vulnerability is believed not to allow a more critical security impact.
If syslog-ng stops consuming and delivering messages, then security systems, such as SIEMs will also stop receiving them, hindering the threat detection capabilities of the SIEM, thus impacting the operation of the larger Security Operations function.
Patches
syslog-ng is known to be embedded in other products that incorporate syslog-ng to carry out its logging functions, as a part of a larger system. The complete list of affected product is unknown to the author of this report, so this section does not present an exhaustive list of affected products and patches.
The following table summarizes the published fixes known at this point.
Product Version fixed in
syslog-ng Open Source Edition 3.38.1
syslog-ng Premium Edition 7.0.32
syslog-ng Store Box. 6.0.5
syslog-ng Store Box 7.0.0 LTS
Workarounds
There are no great workarounds to prevent this vulnerability from occurring. The workarounds are limited to controlling access to the syslog port. If an attacker already gained access to a server that normally sends logs, these workarounds will be ineffective.
- Prevent attackers from accessing the syslog-ng source by adding firewalling rules
- Implement mutual authentication using TLS for log traffic, so that only trusted senders are allowed to send messages
- Implement monitoring for syslog-ng processes to see if the CPU usage becomes excessive while the message rates do not change significantly.
Upgrade to a fixed version is strongly recommended.
More information
If you have a question or would need more information about this vulnerability, please open a new thread in https://github.com/syslog-ng/syslog-ng/discussions/categories/security
About syslog-ng
syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods to collect log data. Due to its capabilities in filtering, parsing, transforming and routing log data, it is frequently used to build enterprise logging middleware, that takes log data from producers and delivers them to the SIEM or Security Analytics products.
Impact
Remote attackers can cause a Denial of Service within syslog-ng by issuing a specially crafted syslog message to a syslog-ng source accepting RFC3164 style (traditional BSD syslog) messages.
A successful exploit will cause a syslog-ng worker thread that is processing the message to start spinning in a tight loop and consuming 100% CPU time.
syslog-ng usually has multiple worker threads (one per CPU core), processing will continue as long as at least one worker thread is running, however by repeating the exploit a number of times, all such threads can be triggered to enter the erroneous state, eventually causing processing to stop entirely.
Apart from a Denial of Service, the vulnerability is believed not to allow a more critical security impact.
If syslog-ng stops consuming and delivering messages, then security systems, such as SIEMs will also stop receiving them, hindering the threat detection capabilities of the SIEM, thus impacting the operation of the larger Security Operations function.
Patches
syslog-ng is known to be embedded in other products that incorporate syslog-ng to carry out its logging functions, as a part of a larger system. The complete list of affected product is unknown to the author of this report, so this section does not present an exhaustive list of affected products and patches.
The following table summarizes the published fixes known at this point.
Product Version fixed in
syslog-ng Open Source Edition 3.38.1
syslog-ng Premium Edition 7.0.32
syslog-ng Store Box. 6.0.5
syslog-ng Store Box 7.0.0 LTS
Workarounds
There are no great workarounds to prevent this vulnerability from occurring. The workarounds are limited to controlling access to the syslog port. If an attacker already gained access to a server that normally sends logs, these workarounds will be ineffective.
Upgrade to a fixed version is strongly recommended.
More information
If you have a question or would need more information about this vulnerability, please open a new thread in https://github.com/syslog-ng/syslog-ng/discussions/categories/security