[rsyslog] security issue in rsyslog

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Dec 4 13:38:17 CET 2008 

Grrr... One more issue. I noticed that while I resolved some conflicts
on the devel branch integration. There is an option that a log message
is emitted by rsyslog itself, when a remote machine's message is
discarded due to no permission. This was requested so that people know
when something goes wrong. This is only in the UDP code.

HOWEVER, this is not rate-limited so if someone carries out a heavy
attack, he can still flood the local disk by these messages. I'll change
it so that the message is emited only once every minute and will then
re-release what already has been released...

Rainer


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Wednesday, December 03, 2008 11:30 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] security issue in rsyslog
> 
> The memory leak is now also fixed, I just quickly re-run some TLS
tests
> to make sure nothing is broken and it works there, too.
> 
> Patch (on top of the others):
> 
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=b41bdeff56ad9d54dd
> d
> cb8703560c750f04a6370
> 
> Rainer
> 
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Wednesday, December 03, 2008 10:54 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] security issue in rsyslog
> >
> > Ok, I ran this fix through a couple of tests yesterday. It looks
well
> > for TLS, too. Note that there is an implication that $AllowedSender
> > TCP,... applies to TLS to (because it is TCP). I'd consider this to
> be
> > a
> > side-effect, but I do not think it is worth fixing. With TLS, there
> is
> > much finer and better control. An issue may only exists if someone
> > decides to run non-tls tcp and tls tcp together AND use
> $AllowedSender.
> > Workaround in that case is to use the firewall, so I don't consider
> it
> > is worth fixing now.
> >
> > Please note that my testing revealed a potential memory leak as
> > side-effect of the fixes. This could be abused to a remote DoS, so I
> > will investigate that before releasing.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > Sent: Monday, December 01, 2008 6:47 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] security issue in rsyslog
> > >
> > > And now there is an *untested* fix for the TLS driver:
> > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=61b59a78c6b558ec06
> > > 3
> > > 83fc5969178887d00abfc
> > >
> > > Testing takes a bit more of time, I need to set up the test
> > environment
> > > for TLS again (looks like it would really pay to have a fixed test
> > > suite
> > > for all those cases - also the issue here would have never
> > > occurred...).
> > >
> > > Please note that I mistook GSSAPI with TLS in my previous mail.
The
> > TLS
> > > part should not be really affected by the problem: there are so
> much
> > > better access control features in TLS...
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > Sent: Monday, December 01, 2008 5:52 PM
> > > > To: rsyslog-users
> > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > >
> > > > Ok, looks like I found a work-around. Not that elegant, but
seems
> > to
> > > > work quite well. Patch for TCP is here:
> > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=97b89435aad77bd6d9
> > > > e
> > > > 18747b55d701e360d5aac
> > > >
> > > > Please note that this effectively disables GSS functionality.
> I'll
> > > > updated the GSS drivers in the next step.
> > > >
> > > > Rainer
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: Monday, December 01, 2008 5:08 PM
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > >
> > > > > The issue also exists in TCP mode, but analysis shows this is
> not
> > a
> > > > > trial fix. The design overlooked the situation. In theory, a
> > whole
> > > > new
> > > > > access control feature would be needed. I am checking out if
it
> > is
> > > > > possible to "just" enhance the interface. With the current
> > > netstreams
> > > > > defined that should be possible. I am tempted to release the
> UDP-
> > > > fixed
> > > > > version and release the next version with the TCP fix.
Feedback
> > > from
> > > > > packagers is appreciated. The TCP fix may take a day or two,
> > > > depending
> > > > > on how smart a way I find.
> > > > >
> > > > > Rainer
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > Sent: Monday, December 01, 2008 4:37 PM
> > > > > > To: rsyslog-users
> > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > >
> > > > > > ... and the patch will not work on all of these version, due
> to
> > > the
> > > > > > introduction of the netstream driver functionality. Please
> note
> > > > that
> > > > > > anything older than current v3-stable is outdated, so the
> > proper
> > > > way
> > > > > to
> > > > > > replace the faulty code is to upgrade to the current v3-
> stable
> > > and
> > > > > > apply
> > > > > > the patch. I will also release a new v3-stable soon,
> hopefully
> > > > today
> > > > > > (but I'd like to conduct some more tests).
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > Sent: Monday, December 01, 2008 4:31 PM
> > > > > > > To: rsyslog-users
> > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > >
> > > > > > > I now clarified the affected versions. Affected are 3.12.2
> > and
> > > > > above.
> > > > > > >
> > > > > > > Rainer
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > > > > Sent: Monday, December 01, 2008 3:32 PM
> > > > > > > > To: rsyslog-users
> > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > this is patch for v3-stable:
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=f0ddbed44c332391ae
> > > > > > > > 6
> > > > > > > > d9bbf6b07e2f06c4dd676
> > > > > > > >
> > > > > > > > I have not tried yet, but I think it will work on almost
> > all
> > > > > other
> > > > > > > > versions, too. I keep you posted on the progress.
> > > > > > > >
> > > > > > > > Rainer
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-
> > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer
Gerhards
> > > > > > > > > Sent: Monday, December 01, 2008 11:27 AM
> > > > > > > > > To: rsyslog-users
> > > > > > > > > Subject: Re: [rsyslog] security issue in rsyslog
> > > > > > > > >
> > > > > > > > > Version v2-stable is NOT vulnerable.
> > > > > > > > >
> > > > > > > > > Rainer
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: rsyslog-bounces at lists.adiscon.com
> > [mailto:rsyslog-
> > > > > > > > > > bounces at lists.adiscon.com] On Behalf Of Rainer
> Gerhards
> > > > > > > > > > Sent: Monday, December 01, 2008 10:55 AM
> > > > > > > > > > To: rsyslog-users
> > > > > > > > > > Subject: [rsyslog] security issue in rsyslog
> > > > > > > > > >
> > > > > > > > > > Hi folks,
> > > > > > > > > >
> > > > > > > > > > thanks to a bug report, I found out that the
> > > $AllowedSender
> > > > > > > > directive
> > > > > > > > > > does not work in all releases. The bug in question
> is:
> > > > > > > > > >
> > > > > > > > > > http://bugzilla.adiscon.com/show_bug.cgi?id=111
> > > > > > > > > >
> > > > > > > > > > Im am currently working on the bug. Obviously, this
> can
> > > > lead
> > > > > to
> > > > > > > > > > messages
> > > > > > > > > > being received from systems that are not permitted
> so.
> > As
> > > a
> > > > > > work-
> > > > > > > > > > around,
> > > > > > > > > > proper firewalling should be set up on the
vulnerable
> > > > hosts.
> > > > > > > Until
> > > > > > > > > > further note, I would assume that all versions of
> > rsyslog
> > > > are
> > > > > > > > > affected
> > > > > > > > > > (I will provide more detail during my analysis).
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Rainer
> > > > > > > > > > _______________________________________________
> > > > > > > > > > rsyslog mailing list
> > > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > > http://www.rsyslog.com
> > > > > > > > > _______________________________________________
> > > > > > > > > rsyslog mailing list
> > > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > > http://www.rsyslog.com
> > > > > > > > _______________________________________________
> > > > > > > > rsyslog mailing list
> > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > > http://www.rsyslog.com
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > > http://www.rsyslog.com
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > > http://www.rsyslog.com
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list