Bug 1560084 (CVE-2018-1000140)

Summary: CVE-2018-1000140 librelp: Stack-based buffer overflow in relpTcpChkPeerName function in src/tcp.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: apmukher, dkopecek, dsoman, jvymazal, psampaio, rsroka, slawomir, slukasik, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20180323,reported=20180323,source=upstream,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-121,fedora-all/librelp=affected,rhel-6/librelp=affected,rhel-7/librelp=affected,rhel-8/librelp=notaffected
Fixed In Version: librelp 1.2.15 Doc Type: If docs needed, set a value
Doc Text:
A stack-based buffer overflow was found in the way librelp parses X.509 certificates. By connecting or accepting connections from a remote peer, an attacker may use a specially crafted X.509 certificate to exploit this flaw and potentially execute arbitrary code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-06 20:59:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1560085, 1560086, 1561229, 1561230, 1561231, 1561232, 1570814, 1570815, 1570816, 1570817, 1570818, 1570819, 1570820    
Bug Blocks: 1560087    

Description Pedro Sampaio 2018-03-23 20:50:02 UTC
librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.

Upstream patch:

https://github.com/rsyslog/librelp/commit/2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf

References:

https://lgtm.com/rules/1505913226124/
https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205

Comment 1 Pedro Sampaio 2018-03-23 20:50:34 UTC
Created librelp tracking bugs for this issue:

Affects: fedora-all [bug 1560085]

Comment 4 Tomas Hoger 2018-04-04 18:41:35 UTC
External References:

https://www.rsyslog.com/cve-2018-1000140/

Comment 8 Pedro Yóssis Silva Barbosa 2018-04-24 14:49:43 UTC
Mitigation:

Users are strongly advised not to expose their logging RELP services to a public network.

Comment 11 Pedro Yóssis Silva Barbosa 2018-04-24 15:45:14 UTC
Acknowledgments:

Name: Rainer Gerhards (rsyslog)
Upstream: Bas van Schaik (lgtm.com / Semmle), Kevin Backhouse (lgtm.com / Semmle)

Comment 12 errata-xmlrpc 2018-04-24 18:31:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1223 https://access.redhat.com/errata/RHSA-2018:1223

Comment 13 errata-xmlrpc 2018-04-24 18:35:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1225 https://access.redhat.com/errata/RHSA-2018:1225

Comment 19 errata-xmlrpc 2018-05-23 15:48:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:1701 https://access.redhat.com/errata/RHSA-2018:1701

Comment 20 errata-xmlrpc 2018-05-23 15:53:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:1704 https://access.redhat.com/errata/RHSA-2018:1704

Comment 21 errata-xmlrpc 2018-05-23 15:54:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:1702 https://access.redhat.com/errata/RHSA-2018:1702

Comment 22 errata-xmlrpc 2018-05-23 15:55:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2018:1703 https://access.redhat.com/errata/RHSA-2018:1703

Comment 23 errata-xmlrpc 2018-05-23 15:57:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2018:1707 https://access.redhat.com/errata/RHSA-2018:1707