Bug 1658366 (CVE-2018-16881) - CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled
Summary: CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Frami...
Status: NEW
Alias: CVE-2018-16881
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20170419,repor...
Keywords: Security
Depends On: 1659316 1669364 1669365
Blocks: 1658368
TreeView+ depends on / blocked
Reported: 2018-12-11 21:05 UTC by Laura Pardo
Modified: 2019-02-06 08:16 UTC (History)
28 users (show)

Fixed In Version: rsyslog 8.27.0
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Laura Pardo 2018-12-11 21:05:40 UTC
An issue was found in rsyslog. When imtcp module and Octet-Counted TCP Framing ("on" by default) are enabled, Rsyslog can be crashed remotely when sending an crafted (improperly formatted) message to "imptcp" listening socket.

Upstream Patch:

Comment 4 Doran Moppert 2018-12-14 04:09:22 UTC
This vulnerability appears to have been introduced in upstream commit 6c52f29d59, which was first included in release 8.13.1.

> optimized payload-copy in processDataRcvd for octate-counted frames (as length is pre-known, it is possible to avoid coping char by char, as opposed to octate-stuffed frames).

Comment 7 Laura Pardo 2018-12-18 19:37:06 UTC

Name: Joel Miller (Pennsylvania Higher Education Assistance Agency)

Comment 8 Doran Moppert 2018-12-19 03:31:51 UTC

This vulnerability requires the "imptcp" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration.

Comment 12 Mark D. Foster 2019-02-05 23:17:36 UTC
shouldn't it say imtcp (instead of imptcp)?

Comment 13 Jiří Vymazal 2019-02-06 08:16:33 UTC
(In reply to Mark D. Foster from comment #12)
> shouldn't it say imtcp (instead of imptcp)?

No, there are two separate rsyslog plugins, imtcp adn imptcp (sort of simplified version), this bug concerns the latter one.

Note You need to log in before you can comment on or make changes to this bug.