CVE-2022-24903
Buffer overflow in TCP syslog server (receiver) components in rsyslog
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.
Rsyslog es un sistema muy rápido para el procesamiento de registros. Los módulos para la recepción de syslogs por TCP presentan un potencial desbordamiento del buffer de pila cuando es usado el framing de conteo de octetos. Esto puede resultar en un segfault o algún otro mal funcionamiento. A nuestro entender, esta vulnerabilidad no puede ser usada para una ejecución de código remota. Pero todavía puede haber una pequeña posibilidad de que los expertos lo hagan. El fallo es producido cuando es leído el recuento de octetos. Mientras se presenta una comprobación del número máximo de octetos, los dígitos son escritos en un búfer de montón incluso cuando el recuento de octetos supera el máximo, lo que puede usarse para sobrepasar el búfer de memoria. Sin embargo, una vez que la secuencia de dígitos es detenida, no pueden añadirse más caracteres al búfer. En nuestra opinión, esto hace que las explotaciones remotas sean imposibles o, al menos, muy complejos. El encuadre de octetos es uno de los dos modos de encuadre posibles. Es relativamente infrecuente, pero está habilitado por defecto en los receptores. Los módulos "imtcp", "imptcp", "imgssapi" y "imhttp" son usados para la recepción regular de mensajes syslog. Es una buena práctica no exponerlos directamente al público. Cuando es seguida esta práctica, el riesgo es considerablemente menor. El módulo "imdiag" es un módulo de diagnóstico destinado principalmente a las ejecuciones de los bancos de pruebas. No esperamos que esté presente en ninguna instalación de producción. El framing de octetos no es muy común. Normalmente, es necesario habilitarlo específicamente en los remitentes. Si los usuarios no lo necesitan, pueden deshabilitarlo para los módulos más importantes. Esto mitigará la vulnerabilidad
A flaw was found in rsyslog's reception TCP modules. This flaw allows an attacker to craft a malicious message leading to a heap-based buffer overflow. This issue allows the attacker to corrupt or access data stored in memory, leading to a denial of service in the rsyslog or possible remote code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-05-05 CVE Published
- 2024-07-27 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-787: Out-of-bounds Write
- CWE-1284: Improper Validation of Specified Quantity in Input
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8 | Third Party Advisory | |
| https://lists.debian.org/debian-lts-announce/2022/05/msg00028.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20221111-0002 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/rsyslog/rsyslog/commit/f211042ecbb472f9d8beb4678a65d272b6f07705 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rsyslog Search vendor "Rsyslog" | Rsyslog Search vendor "Rsyslog" for product "Rsyslog" | < 8.2204.1 Search vendor "Rsyslog" for product "Rsyslog" and version " < 8.2204.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | - | vmware_vsphere |
Affected
| ||||||