Bug 1032572

Summary: rsyslog: remote DoS when imgssapi module is enabled
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkurik, jlieskov, lkundrak, mah.darade, theinric
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rsyslog 6.1.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-18 20:09:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1032575    
Bug Blocks: 1032578    

Description Ratul Gupta 2013-11-20 12:20:51 UTC 
The gssapi module in Rsyslog is found to be vulnerable to a DoS crash when telneting to a remote port.

rsyslog-gssapi configuration on foo.example.com is:

    $ModLoad imgssapi
    $InputGSSServerRun 1514

Now the output result for the crash from the reporter seems to be like:

    # telnet foo.example.com 1514
    #     Connected to foo.example.com
    #         Escape character is '^]'.
    #             Connection closed by foreign host.
    #
    #             /var/log/syslog on foo.example.com has:
    #
    #             Nov 15 12:28:47 foo rsyslogd: TCP session 0x2550730 will be closed, error ignored
    #
    #             and rsyslogd crashes like:
    #
    #             5487.317324670:7ff49169d700: poll returned with i 1, pUsr 0xf106f0
    #             5487.317388061:7ff49169d700: New connect on NSD 0xf269d0.
    #             5487.319769985:7ff49169d700: GSS-API Trying to accept TCP session 0xf06760
    #             5488.321087177:7ff49169d700: Called LogError, msg: TCP session 0xf06760 will be closed, error ignored
    #             5488.321207329:7ff49169d700: main Q: entry added, size now log 1, phys 1 entries
    #             5488.321250988:7ff49169d700: main Q: EnqueueMsg advised worker start
    #             5488.321378952:7ff492ea0700: wti 0xf54e10: worker awoke from idle processing
    #             Segmentation fault (core dumped)

Program terminated with signal 11, Segmentation fault, which confirms the issue.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729658
Comment 1 Ratul Gupta 2013-11-20 12:22:17 UTC 
Created rsyslog tracking bugs for this issue:

Affects: fedora-all [bug 1032575]
Comment 2 Vincent Danen 2013-11-21 16:10:55 UTC 
This issue does not affect rsyslog as shipped with Fedora 19 and 20 (7.2.6).  It does affect the version of ryslog5 as shipped with Red Hat Enterprise Linux 5 (but not rsyslog 3.x).  It does affect rsyslog on Red Hat Enterprise Linux 6, but was fixed in 5.8.10-8.el6 (released with 6.5):

* Wed Aug 14 2013 Tomas Heinrich <theinric> 5.8.10-8
...
- add a patch to prevent a segfault in gssapi
  resolves: #862517

A simple workaround for those using GSSAPI with rsyslog is to use iptables to restrict incoming connections to trusted machines only.  It's not a perfect work-around (one could telnet to the rsyslog listening port from one of the trusted machines and cause a crash), but it would seriously reduce the attack surface.
Comment 3 Vincent Danen 2013-11-21 16:45:03 UTC 
This was corrected upstream here:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=bea499dcb2747d1f5b42eae4978cfe86a37dc957#patch3

Interestingly, it looks like it was a side-effect of improving some TLS features.

This is fixed in Red Hat Enterprise Linux 6 via RHBA-2013:1716:

  https://rhn.redhat.com/errata/RHBA-2013-1716.html

* The imgssapi module is initialized as soon as the configuration file reader
encounters the $InputGSSServerRun directive in the /etc/rsyslog.conf
configuration file. The supplementary options configured after
$InputGSSServerRun are therefore ignored. For configuration to take effect, all
imgssapi configuration options must be placed before $InputGSSServerRun.
Previously, when this order was reversed, the rsyslogd daemon terminated
unexpectedly with a segmentation fault. This bug has been fixed, and rsyslogd no
longer crashes in the described scenario. (BZ#862517)
Comment 4 Vincent Danen 2013-11-21 16:48:19 UTC 
The upstream git commit, according to the changelog, was fixed in 6.1.5.
Comment 6 Tomas Hoger 2014-09-18 20:09:23 UTC 
As noted in comment 3, this was corrected in Red Hat Enterprise Linux 6 via RHBA-2013:1716.  There is no plan to address this in Red Hat Enterprise Linux 5.