Vigil@nce: RSyslog, bypassing ACLs
December 2008 by Vigil@nce
SYNTHESIS
An attacker can bypass ACLs of RSyslog in order to create a denial
of service.
Gravity: 2/4
Consequences: data creation/edition
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 22/12/2008
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION
The RSyslog daemon implements a syslogd logging service. It has
two vulnerabilities.
The $AllowedSender variable restricts the list of clients allowed
to connect to RSyslog. After a code change, the variable was
duplicated. The variable defined by the administrator is thus
different from the variable used to create ACLs. All clients are
thus allowed to connect to RSyslog. [grav:2/4; CVE-2008-5617]
An attacker can connect to RSyslog and force it to log imudp
messages, in order to fill the filesystem. [grav:1/4;
CVE-2008-5618]
An attacker can therefore bypass ACLs of RSyslog in order to
create a denial of service.
CHARACTERISTICS
Identifiers: CVE-2008-5617, CVE-2008-5618, FEDORA-2008-11476,
FEDORA-2008-11538, VIGILANCE-VUL-8350