Bug 1658366 (CVE-2018-16881) - CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled
Summary: CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Frami...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16881
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1659316 1669364 1669365
Blocks: 1658368
TreeView+ depends on / blocked
 
Reported: 2018-12-11 21:05 UTC by Laura Pardo
Modified: 2019-09-29 15:04 UTC (History)
27 users (show)

Fixed In Version: rsyslog 8.27.0
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:20:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2110 None None None 2019-08-06 12:15:33 UTC
Red Hat Product Errata RHSA-2019:2437 None None None 2019-08-12 11:54:17 UTC
Red Hat Product Errata RHSA-2019:2439 None None None 2019-08-12 11:54:40 UTC

Description Laura Pardo 2018-12-11 21:05:40 UTC
An issue was found in rsyslog. When imtcp module and Octet-Counted TCP Framing ("on" by default) are enabled, Rsyslog can be crashed remotely when sending an crafted (improperly formatted) message to "imptcp" listening socket.


Upstream Patch:
https://github.com/rsyslog/rsyslog/commit/0381a0de64a5a048c3d48b79055bd9848d0c7fc2

Comment 4 Doran Moppert 2018-12-14 04:09:22 UTC
This vulnerability appears to have been introduced in upstream commit 6c52f29d59, which was first included in release 8.13.1.

> optimized payload-copy in processDataRcvd for octate-counted frames (as length is pre-known, it is possible to avoid coping char by char, as opposed to octate-stuffed frames).

Comment 7 Laura Pardo 2018-12-18 19:37:06 UTC
Acknowledgments:

Name: Joel Miller (Pennsylvania Higher Education Assistance Agency)

Comment 8 Doran Moppert 2018-12-19 03:31:51 UTC
Mitigation:

This vulnerability requires the "imptcp" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration.

Comment 12 Mark D. Foster 2019-02-05 23:17:36 UTC
shouldn't it say imtcp (instead of imptcp)?

Comment 13 Jiří Vymazal 2019-02-06 08:16:33 UTC
(In reply to Mark D. Foster from comment #12)
> shouldn't it say imtcp (instead of imptcp)?

No, there are two separate rsyslog plugins, imtcp adn imptcp (sort of simplified version), this bug concerns the latter one.

Comment 14 errata-xmlrpc 2019-08-06 12:15:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2110 https://access.redhat.com/errata/RHSA-2019:2110

Comment 15 Product Security DevOps Team 2019-08-06 13:20:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16881

Comment 16 errata-xmlrpc 2019-08-12 11:54:14 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2437 https://access.redhat.com/errata/RHSA-2019:2437

Comment 17 errata-xmlrpc 2019-08-12 11:54:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2439 https://access.redhat.com/errata/RHSA-2019:2439


Note You need to log in before you can comment on or make changes to this bug.