Bug 1032572 - rsyslog: remote DoS when imgssapi module is enabled
rsyslog: remote DoS when imgssapi module is enabled
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131115,reported=2...
: Security
Depends On: 1032575
Blocks: 1032578
  Show dependency treegraph
 
Reported: 2013-11-20 07:20 EST by Ratul Gupta
Modified: 2014-09-18 16:09 EDT (History)
5 users (show)

See Also:
Fixed In Version: rsyslog 6.1.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-18 16:09:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-11-20 07:20:51 EST
The gssapi module in Rsyslog is found to be vulnerable to a DoS crash when telneting to a remote port.

rsyslog-gssapi configuration on foo.example.com is:

    $ModLoad imgssapi
    $InputGSSServerRun 1514

Now the output result for the crash from the reporter seems to be like:

    # telnet foo.example.com 1514
    #     Connected to foo.example.com
    #         Escape character is '^]'.
    #             Connection closed by foreign host.
    #
    #             /var/log/syslog on foo.example.com has:
    #
    #             Nov 15 12:28:47 foo rsyslogd: TCP session 0x2550730 will be closed, error ignored
    #
    #             and rsyslogd crashes like:
    #
    #             5487.317324670:7ff49169d700: poll returned with i 1, pUsr 0xf106f0
    #             5487.317388061:7ff49169d700: New connect on NSD 0xf269d0.
    #             5487.319769985:7ff49169d700: GSS-API Trying to accept TCP session 0xf06760
    #             5488.321087177:7ff49169d700: Called LogError, msg: TCP session 0xf06760 will be closed, error ignored
    #             5488.321207329:7ff49169d700: main Q: entry added, size now log 1, phys 1 entries
    #             5488.321250988:7ff49169d700: main Q: EnqueueMsg advised worker start
    #             5488.321378952:7ff492ea0700: wti 0xf54e10: worker awoke from idle processing
    #             Segmentation fault (core dumped)

Program terminated with signal 11, Segmentation fault, which confirms the issue.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729658
Comment 1 Ratul Gupta 2013-11-20 07:22:17 EST
Created rsyslog tracking bugs for this issue:

Affects: fedora-all [bug 1032575]
Comment 2 Vincent Danen 2013-11-21 11:10:55 EST
This issue does not affect rsyslog as shipped with Fedora 19 and 20 (7.2.6).  It does affect the version of ryslog5 as shipped with Red Hat Enterprise Linux 5 (but not rsyslog 3.x).  It does affect rsyslog on Red Hat Enterprise Linux 6, but was fixed in 5.8.10-8.el6 (released with 6.5):

* Wed Aug 14 2013 Tomas Heinrich <theinric@redhat.com> 5.8.10-8
...
- add a patch to prevent a segfault in gssapi
  resolves: #862517

A simple workaround for those using GSSAPI with rsyslog is to use iptables to restrict incoming connections to trusted machines only.  It's not a perfect work-around (one could telnet to the rsyslog listening port from one of the trusted machines and cause a crash), but it would seriously reduce the attack surface.
Comment 3 Vincent Danen 2013-11-21 11:45:03 EST
This was corrected upstream here:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=bea499dcb2747d1f5b42eae4978cfe86a37dc957#patch3

Interestingly, it looks like it was a side-effect of improving some TLS features.

This is fixed in Red Hat Enterprise Linux 6 via RHBA-2013:1716:

  https://rhn.redhat.com/errata/RHBA-2013-1716.html

* The imgssapi module is initialized as soon as the configuration file reader
encounters the $InputGSSServerRun directive in the /etc/rsyslog.conf
configuration file. The supplementary options configured after
$InputGSSServerRun are therefore ignored. For configuration to take effect, all
imgssapi configuration options must be placed before $InputGSSServerRun.
Previously, when this order was reversed, the rsyslogd daemon terminated
unexpectedly with a segmentation fault. This bug has been fixed, and rsyslogd no
longer crashes in the described scenario. (BZ#862517)
Comment 4 Vincent Danen 2013-11-21 11:48:19 EST
The upstream git commit, according to the changelog, was fixed in 6.1.5.
Comment 6 Tomas Hoger 2014-09-18 16:09:23 EDT
As noted in comment 3, this was corrected in Red Hat Enterprise Linux 6 via RHBA-2013:1716.  There is no plan to address this in Red Hat Enterprise Linux 5.

Note You need to log in before you can comment on or make changes to this bug.