Red Hat Bugzilla – Bug 1032572
rsyslog: remote DoS when imgssapi module is enabled
Last modified: 2014-09-18 16:09:23 EDT
The gssapi module in Rsyslog is found to be vulnerable to a DoS crash when telneting to a remote port.
rsyslog-gssapi configuration on foo.example.com is:
Now the output result for the crash from the reporter seems to be like:
# telnet foo.example.com 1514
# Connected to foo.example.com
# Escape character is '^]'.
# Connection closed by foreign host.
# /var/log/syslog on foo.example.com has:
# Nov 15 12:28:47 foo rsyslogd: TCP session 0x2550730 will be closed, error ignored
# and rsyslogd crashes like:
# 5487.317324670:7ff49169d700: poll returned with i 1, pUsr 0xf106f0
# 5487.317388061:7ff49169d700: New connect on NSD 0xf269d0.
# 5487.319769985:7ff49169d700: GSS-API Trying to accept TCP session 0xf06760
# 5488.321087177:7ff49169d700: Called LogError, msg: TCP session 0xf06760 will be closed, error ignored
# 5488.321207329:7ff49169d700: main Q: entry added, size now log 1, phys 1 entries
# 5488.321250988:7ff49169d700: main Q: EnqueueMsg advised worker start
# 5488.321378952:7ff492ea0700: wti 0xf54e10: worker awoke from idle processing
# Segmentation fault (core dumped)
Program terminated with signal 11, Segmentation fault, which confirms the issue.
Created rsyslog tracking bugs for this issue:
Affects: fedora-all [bug 1032575]
This issue does not affect rsyslog as shipped with Fedora 19 and 20 (7.2.6). It does affect the version of ryslog5 as shipped with Red Hat Enterprise Linux 5 (but not rsyslog 3.x). It does affect rsyslog on Red Hat Enterprise Linux 6, but was fixed in 5.8.10-8.el6 (released with 6.5):
* Wed Aug 14 2013 Tomas Heinrich <firstname.lastname@example.org> 5.8.10-8
- add a patch to prevent a segfault in gssapi
A simple workaround for those using GSSAPI with rsyslog is to use iptables to restrict incoming connections to trusted machines only. It's not a perfect work-around (one could telnet to the rsyslog listening port from one of the trusted machines and cause a crash), but it would seriously reduce the attack surface.
This was corrected upstream here:
Interestingly, it looks like it was a side-effect of improving some TLS features.
This is fixed in Red Hat Enterprise Linux 6 via RHBA-2013:1716:
* The imgssapi module is initialized as soon as the configuration file reader
encounters the $InputGSSServerRun directive in the /etc/rsyslog.conf
configuration file. The supplementary options configured after
$InputGSSServerRun are therefore ignored. For configuration to take effect, all
imgssapi configuration options must be placed before $InputGSSServerRun.
Previously, when this order was reversed, the rsyslogd daemon terminated
unexpectedly with a segmentation fault. This bug has been fixed, and rsyslogd no
longer crashes in the described scenario. (BZ#862517)
The upstream git commit, according to the changelog, was fixed in 6.1.5.
As noted in comment 3, this was corrected in Red Hat Enterprise Linux 6 via RHBA-2013:1716. There is no plan to address this in Red Hat Enterprise Linux 5.