what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rsyslog ElasticSearch Memory Corruption

rsyslog ElasticSearch Memory Corruption
Posted Jul 5, 2013
Authored by Markus Vervier, Marius Ionescu | Site lsexperts.de

rsyslog ElasticSearch plugin suffers from a double free memory corruption. rsyslog versions 7.4.0 stable through 7.4.1 stable and 7.3.2 devel through 7.5.1 devel are affected.

tags | advisory
advisories | CVE-2013-4758
SHA-256 | c9b79425a99d604dd1c1d69b803474783b1a91144c92fa3d3e6e0ef941f7e904

rsyslog ElasticSearch Memory Corruption

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=== LSE Leading Security Experts GmbH - Security Advisory 2013-07-03 ===

rsyslog ElasticSearch Plugin - Double Free Memory Corruption
- ------------------------------------------------------------

Affected Version
================
rsyslog 7.4.0 stable <= 7.4.1 stable
rsyslog 7.3.2 devel <= 7.5.1 devel

Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: low
Vendor: Adiscon GmbH, Nathan Scott, Rainer Gerhards
Credits: LSE Leading Security Experts GmbH employee Markus Vervier and
Marius Ionescu
Advisory URL: http://www.lsexperts.de/advisories/lse-2013-07-03.txt
Advisory Status: Public
CVE-Number: CVE-2013-4758

Problem Impact
==============
While conducting a code review, a double free memory corruption
vulnerability was discovered in the ElasticSearch plugin of rsyslog.
This could allow a remote attacker to crash rsyslog and possibly
execute code if he can manipulate JSON responses from ElasticSearch.

Problem Description
===================
A double free memory corruption exists in all implementations of the
rsyslog omelasticsearch plugin up to 7.4.1 stable and 7.5.1 devel
having the "errorfile" parameter explicitly set for local logging.
The variable "rendered" in function writeDataError of
omelasticsearch.c is freed twice. This allows heap corruption and
possible code execution if an attacker is able to control memory
between subsequent calls to free.

Temporary Workaround and Fix
============================
It is advised to update to version 7.4.2 stable or 7.5.2 of rsyslog as
soon as possible.

As a workaround the "errorfile" configuration parameter should be
disabled, as is the default in rsyslog.

History
=======
2013-06-27 Problem discovery during code review at customer
2013-07-03 Original vendor contacted
2013-07-03 Vulnerability confirmed by vendor
2013-07-03 Fix released
2013-07-04 CVE-2013-4758 assigned
2013-07-05 Coordinated advisory release
- --
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBAgAGBQJR1m7aAAoJEDgSCSGZ4yd8qAcQAJlG0E7t2jnqXvxS3QUCgyF9
lMuADOj7/wbNw/oetbBLukzh9OXOKB2q2QLney6XosZOMh7/dfSXuOdJsaEufutS
5BFGHUOglixACmqju3ZcWvWYsKYrtnKyy+/GJvXR3fZjP7Jf6UEHeBlffEwYhqEe
kjA/ha5EHeljehHbqc+zm+O8iSVte40dJD87/D76UwzI6cMG6eFbFRgDYxaFSGh6
0JMdBA0PqkkkF9fdrlJ00VYrPU41RUMPeiv23OyIiQgWvAbWV8RMkTetkVaqxCys
ms8/s8+FlA4xBKZPiHB64i7oznKHV1AeqXjCm9AahXxCg1NWQx/DkShTZd/zWg30
uI8+2NIb/YMyPrdth44+ucpjcF1v76G3c/WBSBniIXPwUvzHTxD0DHBYX6g0i2Jr
HvtD1kZaWUjk/ofD52CZ1pcUIsqyiO6hoS1vYA83EiC9KW/Yp2lrf/apoE5VgdJ8
jN4JTSU7NEIKY/S+GDFBUDqpnIJeG+VHVC2dmWa+fSfRqx5Wlk9YwE0K0KI/BU+D
MrmzwO4/Fx0EdxhKxOaMAJTVAas2paW07ewrXKTRCja2mAZLaK3eeuKfdwvqVa4J
SwBNnbyPPoY9H8fjx9J8rrYirfZnQ4UKiV7cgOfaXG+ZfFzaS/iZZ3i+USdMJtDS
fwuOw+xvnSrruDiP1Dho
=HJxe
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close