cbcvebase.
CVE-2024-22857
published 2024-03-07

CVE-2024-22857: Heap based buffer flow in zlog v1.1.0 to v1.2.17 in zlog_rule_new().The size of record_name is MAXLEN_PATH(1024) + 1 but file_path may have data upto…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.70%
74.3th percentile
Heap based buffer flow in zlog v1.1.0 to v1.2.17 in zlog_rule_new().The size of record_name is MAXLEN_PATH(1024) + 1 but file_path may have data upto MAXLEN_CFG_LINE(MAXLEN_PATH*4) + 1. So a check was missing in zlog_rule_new() while copying the record_name from file_path + 1 which caused the buffer overflow. An attacker can exploit this vulnerability to overwrite the zlog_record_fn record_func function pointer to get arbitrary code execution or potentially cause remote code execution (RCE).

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability resides in zlog_rule_new() where record_name (sized MAXLEN_PATH+1 = 1025 bytes) is overflowed by file_path data up to MAXLEN_CFG_LINE (MAXLEN_PATH*4)+1 bytes — monitor for heap corruption or anomalous writes in this function during zlog config parsing.
  • The overflow targets the zlog_record_fn record_func function pointer on the heap — look for heap metadata corruption or unexpected function pointer overwrites in zlog processes as a sign of exploitation.
  • Affected versions are zlog v1.1.0 through v1.2.17 — flag any deployment of these versions in your environment as vulnerable to heap-based buffer overflow via crafted config input.
  • ·The overflow is triggered via a crafted zlog configuration file where a file_path rule value exceeds MAXLEN_PATH (1024 bytes), up to MAXLEN_CFG_LINE (MAXLEN_PATH*4 = 4096 bytes) — exploitation requires the ability to supply or influence the zlog configuration file.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.