Skip to content

An integer overflow in the RFC3164 parser allows remote attackers Denial of Service

High
bazsi published GHSA-7932-4fc6-pvmc Jan 10, 2023

Package

syslog-ng

Affected versions

< 3.38.1

Patched versions

3.38.1
syslog-ng Premium Edition
< 7.0.32
7.0.32
syslog-ng Store Box
< 6.0.5
< 7.0LTS
6.0.5
7.0LTS

Description

About syslog-ng

syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods to collect log data. Due to its capabilities in filtering, parsing, transforming and routing log data, it is frequently used to build enterprise logging middleware, that takes log data from producers and delivers them to the SIEM or Security Analytics products.

Impact

Remote attackers can cause a Denial of Service within syslog-ng by issuing a specially crafted syslog message to a syslog-ng source accepting RFC3164 style (traditional BSD syslog) messages.

A successful exploit will cause a syslog-ng worker thread that is processing the message to start spinning in a tight loop and consuming 100% CPU time.

syslog-ng usually has multiple worker threads (one per CPU core), processing will continue as long as at least one worker thread is running, however by repeating the exploit a number of times, all such threads can be triggered to enter the erroneous state, eventually causing processing to stop entirely.

Apart from a Denial of Service, the vulnerability is believed not to allow a more critical security impact.

If syslog-ng stops consuming and delivering messages, then security systems, such as SIEMs will also stop receiving them, hindering the threat detection capabilities of the SIEM, thus impacting the operation of the larger Security Operations function.

Patches

syslog-ng is known to be embedded in other products that incorporate syslog-ng to carry out its logging functions, as a part of a larger system. The complete list of affected product is unknown to the author of this report, so this section does not present an exhaustive list of affected products and patches.

The following table summarizes the published fixes known at this point.

Product Version fixed in
syslog-ng Open Source Edition 3.38.1
syslog-ng Premium Edition 7.0.32
syslog-ng Store Box. 6.0.5
syslog-ng Store Box 7.0.0 LTS

Workarounds

There are no great workarounds to prevent this vulnerability from occurring. The workarounds are limited to controlling access to the syslog port. If an attacker already gained access to a server that normally sends logs, these workarounds will be ineffective.

  • Prevent attackers from accessing the syslog-ng source by adding firewalling rules
  • Implement mutual authentication using TLS for log traffic, so that only trusted senders are allowed to send messages
  • Implement monitoring for syslog-ng processes to see if the CPU usage becomes excessive while the message rates do not change significantly.

Upgrade to a fixed version is strongly recommended.

More information

If you have a question or would need more information about this vulnerability, please open a new thread in https://github.com/syslog-ng/syslog-ng/discussions/categories/security

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-38725

Weaknesses