Potential DoS in Interactive Syslog Server
Grossrinderfeld, 2003-09-15 (Updated 2003-10-21)
A potential denial of service (DoS) condition has been identified in Interactive Syslog Server. Oversized messages sent to the Interactive Syslog Server may yield to high
CPU utilization of Interactive Syslog Server. Depending on the operating system
it is run on, this can also yield to a denial of service condition to the
underlaying operating system (Adiscon was not able to reproduce an actual DoS
on the operating system itself, but the security researcher discovering this bug said he could do so).
Please note that this vulnerability affects the interactive syslog
server, only. Adiscon recommends using interactive server only for real-time
message reception and device debugging. Any production monitoring should be
done via the WinSyslog or MonitorWare Agent service. The service is not vulnerable to this issue. However, Adiscon has begun a new
code audit in respect to buffer sizes. Should any issue with the services be
discovered, we will post a new advisory.
As a side note, please keep in mind that interactive processes can never be used
for any reliable logging. As such, we strongly recommend against using the
Interactive server for any serious and continous logging needs. It is not
designed for this, it is designed as an interactive troubleshooting tool. Running
a log server interactively will most probably expose you to many more security
threads - from simply missing log data because the interactive
session was somehow terminated to security weaknesses stemming back to the fact
that an interactive logon session was established. Please use WinSyslog
securely: if you do serious logging, use the service for this. It is designed
for it. The interactive syslog server should not
be present in a real-life, serious logging infrastructure (use it to setup your
logging environment, test anything and the remove remove it).
Products & Product Versions Affected
All Versions of WinSyslog and MonitorWare Agent downloaded prior to 2003-09-15.
As of 2003-09-16, the download sets already contain the fix. Any customer who
downloaded the product before that date is advised to download the fix. The
fixed version is identified as 4.2.36 in help/about. WinSyslog 5.0 final
release includes the fixed version, so there is no need to apply a fix if you
use that version.
Affected customers should download the hotfixes mentioned below and copy the ZIP
file contents to the product installation directory. Alternatively, they can
download the full package again and re-install it.
Again, we recommend against using Interactive syslog server for serious
logging purposes - it was not designed for this. If you use the
products as recommended, you will not run Interactive Server at all and willnot be vulnerable.
Adiscon whishes to thank Noam Rathaus of Beyond Security Ltd. (http://www.securiteam.com)
for reporting this issue and working with us to resolve it.
Reporting Security Issues
Adiscon believes in the value of working with security researchers. Any security
issue should please be reported to firstname.lastname@example.org and it will receive immediate attention.
Receiving Advisories via EMail
Adiscon also provides product announcement mailing
lists. These are of low-volume and strictly technical. They will carry
notifications about new product versions, bug fixes and such. They will NOT be
abused for marketing. GNU Mailman is used for these mailing lists, so
unsubscribing is always easy. Advisories are also posted to our product
announcement list. You can subscribe below: