CVE-2011-3200
published 2011-09-06CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might…
PriorityP337medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
20.76%
97.2th percentile
Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.
Affected
56 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rsyslog | < rsyslog 5.8.5-1 (bookworm) | rsyslog 5.8.5-1 (bookworm) |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
| rsyslog | rsyslog | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for syslog messages with a TAG field of 512 or more characters sent to UDP/TCP syslog port; the overflow writes '\0' or ':\0' past the 512-byte bufParseTAG array boundary. ↗
- →Monitor rsyslogd process for sudden termination preceded by a glibc 'stack smashing detected' message, which is the observable crash signature on ia-32 (RHEL6) systems. ↗
- →The vulnerability is remotely triggerable if rsyslogd is configured to receive messages over UDP or TCP; an attacker can send the malformed message using netcat from a remote host. ↗
- →Affected versions are rsyslog 4.6.0–4.6.7 and 5.2.0–5.8.4; the bug was introduced in 4.6.0 and corrected in 4.6.8/5.8.5. Focus detection on hosts running these version ranges. ↗
- →On x86-64 the stack guard variable is located 8 bytes above bufParseTAG, so the overflow may not reach it; the bug is most reliably triggered on ia-32 (32-bit) systems such as RHEL6 i686. ↗
- →A Metasploit auxiliary module (dos/syslog/rsyslog_long_tag) exists for this vulnerability; detect or block exploitation attempts from known Metasploit framework user-agents or scanning patterns targeting syslog ports. ↗
- ·The vulnerability is only exploitable remotely if rsyslogd is explicitly configured to accept messages over UDP or TCP; default local-only configurations are not remotely reachable. ↗
- ·RHEL5 is not affected because its rsyslog code does not use a stack-allocated buffer with an index variable for TAG parsing; it uses a malloc-allocated buffer accessed via pointer increment. ↗
- ·Compiler differences (e.g., stack layout on x86-64 vs ia-32) may prevent the overflow from reaching the SSP guard cookie, meaning the bug may cause no noticeable result on many systems. ↗
- ·The overflow is limited to writing '\0' or ':\0' past the buffer boundary; arbitrary code execution is not considered feasible because SSP mitigates to crash-only and all other local variables are placed below the buffer by gcc. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-56wq-xcxw-c4q3: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd
ghsa_unreviewed·2022-05-17
CVE-2011-3200 [MEDIUM] CWE-119 GHSA-56wq-xcxw-c4q3: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd
Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.
OSV
CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd
osv·2011-09-06·CVSS 5.0
CVE-2011-3200 [MEDIUM] CVE-2011-3200: Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd
Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.
Ubuntu
rsyslog vulnerability
vendor_ubuntu·2011-10-03
CVE-2011-3200 rsyslog vulnerability
Title: rsyslog vulnerability
Summary: Rsyslog could be made to crash if it processed a specially crafted message.
It was discovered that rsyslog had an off-by-two error when parsing legacy
syslog messages. An attacker could potentially exploit this to cause a
denial of service via application crash.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rsyslog: parseLegacySyslogMsg off-by-two buffer overflow
vendor_redhat·2011-09-01·CVSS 5.0
CVE-2011-3200 [MEDIUM] rsyslog: parseLegacySyslogMsg off-by-two buffer overflow
rsyslog: parseLegacySyslogMsg off-by-two buffer overflow
Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.
Package: rsyslog (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2011-3200: rsyslog - Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslog...
vendor_debian·2011·CVSS 5.0
CVE-2011-3200 [MEDIUM] CVE-2011-3200: rsyslog - Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslog...
Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.
Scope: local
bookworm: resolved (fixed in 5.8.5-1)
bullseye: resolved (fixed in 5.8.5-1)
forky: resolved (fixed in 5.8.5-1)
sid: resolved (fixed in 5.8.5-1)
trixie: resolved (fixed in 5.8.5-1)
No detection rules found.
Bugzilla
CVE-2011-3200 rsyslog: parseLegacySyslogMsg off-by-two buffer overflow [fedora-all]
bugzilla·2011-09-01·CVSS 5.0
CVE-2011-3200 [MEDIUM] CVE-2011-3200 rsyslog: parseLegacySyslogMsg off-by-two buffer overflow [fedora-all]
CVE-2011-3200 rsyslog: parseLegacySyslogMsg off-by-two buffer overflow [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=727644
Please note: this issue affects
Bugzilla
CVE-2011-3200 rsyslog: parseLegacySyslogMsg off-by-two buffer overflow
bugzilla·2011-08-02·CVSS 5.0
CVE-2011-3200 [MEDIUM] CVE-2011-3200 rsyslog: parseLegacySyslogMsg off-by-two buffer overflow
CVE-2011-3200 rsyslog: parseLegacySyslogMsg off-by-two buffer overflow
Description of problem:
If we send to syslog a specially crafted log message, stack guard variable protecting bufParseTAG array in parseLegacySyslogMsg() gets rewritten and rsyslog gets terminated.
Version-Release number of selected component (if applicable):
rsyslog-4.6.2-3.el6_1.1.i686
How reproducible:
everytime on ia-32
on x86-64 stack guard variable won't get rewritten as it is located 8 bytes above bufParseTAG array
Actual results:
glibc prints the following message and rsyslog gets terminated:
*** stack smashing detected ***: rsyslogd terminated
Expected results:
No abortion.
Additional info:
For more info, please, see the following private comment.
Discussion:
################################
http://git.adiscon.com/?p=rsyslog.git%3Ba=commit%3Bh=1ca6cc236d1dabf1633238b873fb1c057e52f95ehttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065837.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065941.htmlhttp://lists.opensuse.org/opensuse-updates/2011-09/msg00013.htmlhttp://secunia.com/advisories/45922http://secunia.com/advisories/46027http://securitytracker.com/id?1026000http://www.mandriva.com/security/advisories?name=MDVSA-2011:134http://www.redhat.com/support/errata/RHSA-2011-1247.htmlhttp://www.rsyslog.com/potential-dos-with-malformed-tag/http://www.securityfocus.com/bid/49413https://bugzilla.redhat.com/show_bug.cgi?id=727644http://git.adiscon.com/?p=rsyslog.git%3Ba=commit%3Bh=1ca6cc236d1dabf1633238b873fb1c057e52f95ehttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065837.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065941.htmlhttp://lists.opensuse.org/opensuse-updates/2011-09/msg00013.htmlhttp://secunia.com/advisories/45922http://secunia.com/advisories/46027http://securitytracker.com/id?1026000http://www.mandriva.com/security/advisories?name=MDVSA-2011:134http://www.redhat.com/support/errata/RHSA-2011-1247.htmlhttp://www.rsyslog.com/potential-dos-with-malformed-tag/http://www.securityfocus.com/bid/49413https://bugzilla.redhat.com/show_bug.cgi?id=727644
2011-09-06
Published