-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 === LSE Leading Security Experts GmbH - Security Advisory 2013-07-03 === rsyslog ElasticSearch Plugin - Double Free Memory Corruption - ------------------------------------------------------------ Affected Version ================ rsyslog 7.4.0 stable <= 7.4.1 stable rsyslog 7.3.2 devel <= 7.5.1 devel Problem Overview ================ Technical Risk: high Likelihood of Exploitation: low Vendor: Adiscon GmbH, Nathan Scott, Rainer Gerhards Credits: LSE Leading Security Experts GmbH employee Markus Vervier and Marius Ionescu Advisory URL: http://www.lsexperts.de/advisories/lse-2013-07-03.txt Advisory Status: Public CVE-Number: CVE-2013-4758 Problem Impact ============== While conducting a code review, a double free memory corruption vulnerability was discovered in the ElasticSearch plugin of rsyslog. This could allow a remote attacker to crash rsyslog and possibly execute code if he can manipulate JSON responses from ElasticSearch. Problem Description =================== A double free memory corruption exists in all implementations of the rsyslog omelasticsearch plugin up to 7.4.1 stable and 7.5.1 devel having the "errorfile" parameter explicitly set for local logging. The variable "rendered" in function writeDataError of omelasticsearch.c is freed twice. This allows heap corruption and possible code execution if an attacker is able to control memory between subsequent calls to free. Temporary Workaround and Fix ============================ It is advised to update to version 7.4.2 stable or 7.5.2 of rsyslog as soon as possible. As a workaround the "errorfile" configuration parameter should be disabled, as is the default in rsyslog. History ======= 2013-06-27 Problem discovery during code review at customer 2013-07-03 Original vendor contacted 2013-07-03 Vulnerability confirmed by vendor 2013-07-03 Fix released 2013-07-04 CVE-2013-4758 assigned 2013-07-05 Coordinated advisory release - -- http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel.: +49 (0) 6151 86086-0, Fax: -299, Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJR1m7aAAoJEDgSCSGZ4yd8qAcQAJlG0E7t2jnqXvxS3QUCgyF9 lMuADOj7/wbNw/oetbBLukzh9OXOKB2q2QLney6XosZOMh7/dfSXuOdJsaEufutS 5BFGHUOglixACmqju3ZcWvWYsKYrtnKyy+/GJvXR3fZjP7Jf6UEHeBlffEwYhqEe kjA/ha5EHeljehHbqc+zm+O8iSVte40dJD87/D76UwzI6cMG6eFbFRgDYxaFSGh6 0JMdBA0PqkkkF9fdrlJ00VYrPU41RUMPeiv23OyIiQgWvAbWV8RMkTetkVaqxCys ms8/s8+FlA4xBKZPiHB64i7oznKHV1AeqXjCm9AahXxCg1NWQx/DkShTZd/zWg30 uI8+2NIb/YMyPrdth44+ucpjcF1v76G3c/WBSBniIXPwUvzHTxD0DHBYX6g0i2Jr HvtD1kZaWUjk/ofD52CZ1pcUIsqyiO6hoS1vYA83EiC9KW/Yp2lrf/apoE5VgdJ8 jN4JTSU7NEIKY/S+GDFBUDqpnIJeG+VHVC2dmWa+fSfRqx5Wlk9YwE0K0KI/BU+D MrmzwO4/Fx0EdxhKxOaMAJTVAas2paW07ewrXKTRCja2mAZLaK3eeuKfdwvqVa4J SwBNnbyPPoY9H8fjx9J8rrYirfZnQ4UKiV7cgOfaXG+ZfFzaS/iZZ3i+USdMJtDS fwuOw+xvnSrruDiP1Dho =HJxe -----END PGP SIGNATURE-----