The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of One Identity syslog-ng

vulnerability 17700

syslog-ng: unreachable memory reading via HOST

Synthesis of the vulnerability

An attacker can force a read at an invalid address via $HOST on syslog-ng, in order to read a memory fragment or to trigger a denial of service.
Impacted products: syslog-ng.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 18/08/2015.
Identifiers: VIGILANCE-VUL-17700.

Description of the vulnerability

The syslog-ng product uses the server name in the $HOST variable

However, if this variable is too long, a size inconsistency forces syslog-ng to read an uninitialized/unreachable memory area, which triggers a fatal error.

An attacker can therefore force a read at an invalid address via $HOST on syslog-ng, in order to read a memory fragment or to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 15077

syslog-ng: memory leak

Synthesis of the vulnerability

An attacker can create a memory leak of syslog-ng, in order to trigger a denial of service.
Impacted products: syslog-ng.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 21/07/2014.
Identifiers: VIGILANCE-VUL-15077.

Description of the vulnerability

The syslog-ng product logs messages.

However, the memory allocated to process some messages is never freed.

An attacker can therefore create a memory leak of syslog-ng, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-1951

syslog-ng: infinite loop via PCRE and global

Synthesis of the vulnerability

When the syslog-ng configuration uses a rewrite with PCRE and global, an attacker can log a malicious message, in order to create an infinite loop.
Impacted products: Fedora, syslog-ng.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 12/05/2011.
Identifiers: BID-47800, CVE-2011-1951, FEDORA-2011-7176, FEDORA-2011-8405, VIGILANCE-VUL-10648.

Description of the vulnerability

The "rewrite" directive of the configuration file of syslog-ng indicates changes to apply on the message, before logging it. This rewrite can use a Perl regular expression (PREG) and can be applied globally. For example:
  rewrite r_ip { subst("pattern", "replacement", ... type("pcre"), flags("global")); };

The log_matcher_pcre_re_match() function of the lib/logmatcher.c file implements the PREG search, and its replacement. However, if the regular expression can match an empty string, an infinite loop occurs when log_matcher_pcre_re_match() tries to replace it.

When the syslog-ng configuration uses a rewrite with PCRE and global, an attacker can therefore log a malicious message, in order to create an infinite loop.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-0343

syslog-ng: incorrect permissions

Synthesis of the vulnerability

On some systems, syslog-ng can create log files with incorrect permissions.
Impacted products: syslog-ng.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user shell.
Creation date: 17/01/2011.
Identifiers: BID-45988, CVE-2011-0343, VIGILANCE-VUL-10277.

Description of the vulnerability

The mode_t type stores permissions of a file (read, write, execution, for the owner, the group or the world).

The /usr/include/sys/types.h file generally defines mode_t as a 32 bit integer. However, FreeBSD/HP-UX defines mode_t as a 16 bit integer.

The syslog-ng program does not handle the 16 bit case, and it can then define the 0xFFFF mode (everything is allowed).

On systems defining mode_t on 16 bit, syslog-ng can therefore create log files with incorrect permissions (read/write access for the world).
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-5110

syslog-ng: escaping the chroot

Synthesis of the vulnerability

An attacker who found a vulnerability in syslog-ng can access to files located outside the chroot jail.
Impacted products: Fedora, syslog-ng.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: user shell.
Creation date: 18/11/2008.
Identifiers: 505791, CVE-2008-5110, FEDORA-2008-10752, FEDORA-2008-10879, FEDORA-2008-10920, VIGILANCE-VUL-8253.

Description of the vulnerability

The syslog-ng logging daemon can be configured with a chroot jail. A potential attacker is thus restricted to files located inside the root of the jail.

However, this jail is not correctly initialized: the current directory is not changed before creating the jail.

An attacker inside the jail can therefore access to files located in the current directory, when the daemon is started (for example /etc/init.d).
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-6437

syslog-ng: denial of service

Synthesis of the vulnerability

An attacker can send a malicious message in order to stop syslog-ng.
Impacted products: Debian, Fedora, syslog-ng.
Severity: 2/4.
Consequences: denial of service on service, disguisement.
Provenance: intranet client.
Creation date: 17/12/2007.
Identifiers: CERTA-2002-AVI-163, CERTA-2007-AVI-572, CVE-2007-6437, DSA-1464-1, FEDORA-2008-0523, FEDORA-2008-0559, VIGILANCE-VUL-7424, ZSA-2007-029.

Description of the vulnerability

The SYSLOG protocol uses message with the following format:
  <priority>date hostname message
The RFC 3164 indicates on page 11 that the date field has to be followed by a space.

However, the log_msg_parse() function of logmsg.c file of syslog-ng does not detect if space is missing and dereferences a NULL pointer.

An attacker, allowed to send a malformed message, can therefore stop the syslog-ng logging service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2002-1200

Buffer overflow du démon syslog-ng

Synthesis of the vulnerability

En concevant des fichiers de log contenant des macros malicieuses, un attaquant peut exécuter du code avec les droits administrateur.
Impacted products: Debian, syslog-ng, openSUSE.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 11/10/2002.
Revisions dates: 16/10/2002, 30/10/2002, 31/10/2002.
Identifiers: BID-5934, CVE-2002-1200, DSA-175, DSA-175-1, SUSE-SA:2002:039, V6-UNIXSYSLOGNGBOF, VIGILANCE-VUL-3041.

Description of the vulnerability

Le démon syslog-ng assure la journalisation des messages de la machine locale ou des machines distantes autorisées.

Pour simplifier la tâche des administrateurs, syslog-ng supporte l'utilisation de macros:
 - dans le nom du fichier de destination:
    destination d_messages_by_host {
      file("/var/log/$HOST/messages");
    };

 - dans le format des données stockées dans ces fichiers:
    destination d_special_messages {
      file("/var/log/messages" template("$ISODATE $HOST $MSG\n"));
    };

Une faille a été découverte dans l'implémentation de la fonction chargée de manipuler les expansions de caractères dans les macros. En effet, lors de l'expansion d'une macro, un buffer est utilisé et une variable nommée "left" contient le nombre de caractères disponibles dans ce buffer. Lorsqu'un caractère constant est ajouté, cette variable n'est pas décrémentée et un débordement du buffer peut se produire.

Un attaquant ayant accès à un système "surveillé" par syslog-ng peut générer un fichier dont le nom ou les données contiendrait des macros malicieuses. Lorsque syslog-ng ouvrira ces fichiers un débordement de mémoire aura lieu et le code de l'attaquant sera exécuté.

L'attaquant peut ainsi faire exécuter du code sur la machine avec des droits syslog-ng.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about One Identity syslog-ng: