Red Hat Bugzilla – Bug 1032572
rsyslog: remote DoS when imgssapi module is enabled
Last modified: 2014-09-18 16:09:23 EDT
The gssapi module in Rsyslog is found to be vulnerable to a DoS crash when telneting to a remote port. rsyslog-gssapi configuration on foo.example.com is: $ModLoad imgssapi $InputGSSServerRun 1514 Now the output result for the crash from the reporter seems to be like: # telnet foo.example.com 1514 # Connected to foo.example.com # Escape character is '^]'. # Connection closed by foreign host. # # /var/log/syslog on foo.example.com has: # # Nov 15 12:28:47 foo rsyslogd: TCP session 0x2550730 will be closed, error ignored # # and rsyslogd crashes like: # # 5487.317324670:7ff49169d700: poll returned with i 1, pUsr 0xf106f0 # 5487.317388061:7ff49169d700: New connect on NSD 0xf269d0. # 5487.319769985:7ff49169d700: GSS-API Trying to accept TCP session 0xf06760 # 5488.321087177:7ff49169d700: Called LogError, msg: TCP session 0xf06760 will be closed, error ignored # 5488.321207329:7ff49169d700: main Q: entry added, size now log 1, phys 1 entries # 5488.321250988:7ff49169d700: main Q: EnqueueMsg advised worker start # 5488.321378952:7ff492ea0700: wti 0xf54e10: worker awoke from idle processing # Segmentation fault (core dumped) Program terminated with signal 11, Segmentation fault, which confirms the issue. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729658
Created rsyslog tracking bugs for this issue: Affects: fedora-all [bug 1032575]
This issue does not affect rsyslog as shipped with Fedora 19 and 20 (7.2.6). It does affect the version of ryslog5 as shipped with Red Hat Enterprise Linux 5 (but not rsyslog 3.x). It does affect rsyslog on Red Hat Enterprise Linux 6, but was fixed in 5.8.10-8.el6 (released with 6.5): * Wed Aug 14 2013 Tomas Heinrich <theinric@redhat.com> 5.8.10-8 ... - add a patch to prevent a segfault in gssapi resolves: #862517 A simple workaround for those using GSSAPI with rsyslog is to use iptables to restrict incoming connections to trusted machines only. It's not a perfect work-around (one could telnet to the rsyslog listening port from one of the trusted machines and cause a crash), but it would seriously reduce the attack surface.
This was corrected upstream here: http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=bea499dcb2747d1f5b42eae4978cfe86a37dc957#patch3 Interestingly, it looks like it was a side-effect of improving some TLS features. This is fixed in Red Hat Enterprise Linux 6 via RHBA-2013:1716: https://rhn.redhat.com/errata/RHBA-2013-1716.html * The imgssapi module is initialized as soon as the configuration file reader encounters the $InputGSSServerRun directive in the /etc/rsyslog.conf configuration file. The supplementary options configured after $InputGSSServerRun are therefore ignored. For configuration to take effect, all imgssapi configuration options must be placed before $InputGSSServerRun. Previously, when this order was reversed, the rsyslogd daemon terminated unexpectedly with a segmentation fault. This bug has been fixed, and rsyslogd no longer crashes in the described scenario. (BZ#862517)
The upstream git commit, according to the changelog, was fixed in 6.1.5.
As noted in comment 3, this was corrected in Red Hat Enterprise Linux 6 via RHBA-2013:1716. There is no plan to address this in Red Hat Enterprise Linux 5.