Potential DoS in Interactive Syslog Server

Grossrinderfeld, 2003-09-15 (Updated 2003-10-21)

A potential denial of service (DoS) condition has been identified in Interactive Syslog Server. Oversized messages sent to the Interactive Syslog Server may yield to high CPU utilization of Interactive Syslog Server. Depending on the operating system it is run on, this can also yield to a denial of service condition to the underlaying operating system (Adiscon was not able to reproduce an actual DoS on the operating system itself, but the security researcher discovering this bug said he could do so).

Please note that this vulnerability affects the interactive syslog server, only. Adiscon recommends using interactive server only for real-time message reception and device debugging. Any production monitoring should be done via the WinSyslog or MonitorWare Agent service. The service is not vulnerable to this issue. However, Adiscon has begun a new code audit in respect to buffer sizes. Should any issue with the services be discovered, we will post a new advisory.

As a side note, please keep in mind that interactive processes can never be used for any reliable logging. As such, we strongly recommend against using the Interactive server for any serious and continous logging needs. It is not designed for this, it is designed as an interactive troubleshooting tool. Running a log server interactively will most probably expose you to many more security threads – from simply missing log data because the interactive session was somehow terminated to security weaknesses stemming back to the fact that an interactive logon session was established. Please use WinSyslog securely: if you do serious logging, use the service for this. It is designed for it. The interactive syslog server should not be present in a real-life, serious logging infrastructure (use it to setup your logging environment, test anything and the remove remove it).

Products & Product Versions Affected

All Versions of WinSyslog and MonitorWare Agent downloaded prior to 2003-09-15. As of 2003-09-16, the download sets already contain the fix. Any customer who downloaded the product before that date is advised to download the fix. The fixed version is identified as 4.2.36 in help/about. WinSyslog 5.0 final release includes the fixed version, so there is no need to apply a fix if you use that version.

Solution

Affected customers should download the hotfixes mentioned below and copy the ZIP file contents to the product installation directory. Alternatively, they can download the full package again and re-install it.

• For WinSyslog (including 5.0 beta), please use www.adiscon.org/download/WinSyslog-hotfix-2003-09-15.zip.
• For MonitorWare Agent, please use www.adiscon.org/download/MWAgent-hotfix-2003-09-15.zip.

Again, we recommend against using Interactive syslog server for serious logging purposes – it was not designed for this. If you use the products as recommended, you will not run Interactive Server at all and willnot be vulnerable.

Credits

Adiscon whishes to thank Noam Rathaus of Beyond Security Ltd. (http://www.securiteam.com) for reporting this issue and working with us to resolve it.

Reporting Security Issues

Adiscon believes in the value of working with security researchers. Any security issue should please be reported to support@adiscon.com and it will receive immediate attention.

Receiving Advisories via EMail

Adiscon also provides product announcement mailing lists. These are of low-volume and strictly technical. They will carry notifications about new product versions, bug fixes and such. They will NOT be abused for marketing. GNU Mailman is used for these mailing lists, so unsubscribing is always easy. Advisories are also posted to our product announcement list. You can subscribe below:

• For MonitorWare Agent please subscribe at:
  http://lists.adiscon.net/mailman/listinfo/mwagent
• For WinSyslog please subscribe at:
  http://lists.adiscon.net/mailman/listinfo/winsyslog