severity 729658 important thanks Am 15.11.2013 12:46, schrieb Guido Günther: > Package: rsyslog-gssapi > Version: 5.8.11-3 > Severity: critical > tags: security > > Hi, > I can DoS rsyslog with a simple telnet connect: > > rsyslog-gssapi configuration on foo.example.com is: > > $ModLoad imgssapi > $InputGSSServerRun 1514 > > Now when telnetting to port 1514 and simply waiting for the > timeout like: > > # telnet foo.example.com 1514 > Connected to foo.example.com > Escape character is '^]'. > Connection closed by foreign host. > > /var/log/syslog on foo.example.com has: > > Nov 15 12:28:47 foo rsyslogd: TCP session 0x2550730 will be closed, error > ignored > > and rsyslogd crashes like: > > 5487.317324670:7ff49169d700: poll returned with i 1, pUsr 0xf106f0 > 5487.317388061:7ff49169d700: New connect on NSD 0xf269d0. > 5487.319769985:7ff49169d700: GSS-API Trying to accept TCP session 0xf06760 > 5488.321087177:7ff49169d700: Called LogError, msg: TCP session 0xf06760 will > be closed, error ignored > 5488.321207329:7ff49169d700: main Q: entry added, size now log 1, phys 1 > entries > 5488.321250988:7ff49169d700: main Q: EnqueueMsg advised worker start > 5488.321378952:7ff492ea0700: wti 0xf54e10: worker awoke from idle processing > Segmentation fault (core dumped) > > The bt is not very helpful though: > > Core was generated by `/usr/sbin/rsyslogd -d -n'. > Program terminated with signal 11, Segmentation fault. > #0 0x00007ff4936b5428 in ?? () from /usr/lib/rsyslog/lmtcpsrv.so > (gdb) bt > #0 0x00007ff4936b5428 in ?? () from /usr/lib/rsyslog/lmtcpsrv.so > #1 0x000000000043ae66 in ?? () > #2 0x00007ff496056b50 in start_thread () from > /lib/x86_64-linux-gnu/libpthread.so.0 > #3 0x00007ff495994a7d in clone () from /lib/x86_64-linux-gnu/libc.so.6 > #4 0x0000000000000000 in ?? () > > Since this make rsyslog-gssapi insecure on any public network I've > flagged it as critical/security.
Even though I agree that a DoS is bad, I'm downgrading the severity to non-RC, since the default configuration of rsyslog doesn't ship with gssapi enabled. That said, I've CCed the security team, as I'd like their input on this. If they consider this RC, then I'm fine with raising the severity again. I'd also be interested if the security team considers this issue important enough for an rsyslog/stable upload (sid/testing is not affected). rsyslog-gssapi is not widely used [0] [0] http://qa.debian.org/popcon-graph.php?packages=rsyslog-gssapi -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
