rsyslog librelp X.509 Checking Buffer Overflow Remote Code Execution Vulnerability [CVE-2018-1000140]

A vulnerability in the rsyslog librelp library could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to insufficient validation of X.509 certificates from a peer system by the affected software. In addition, the software performs improper checks on the return value from a call to the snprintf function. An attacker who can connect to the rsyslog utility on the targeted system could exploit this vulnerability by sending a crafted X.509 certificate to the system. An exploit could trigger a stack-based buffer overflow in the relpTcpChkPeerName function, as defined in src/tcp.c source code file of the affected software, which could allow the attacker to execute arbitrary code on the system.

The vendor has confirmed the vulnerability and released software updates.

Analysis

To exploit this vulnerability, an attacker must be able to connect to the rsyslog utility on a targeted system in order to send a crafted X.509 certificate to the system. This requirement may reduce the likelihood of a successful exploit.

Safeguards

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.

Vendor Announcements

The vendor has released a git commit at the following link: commit 2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf

Fixed Software

The vendor has released software updates at the following link: librelp 1.2.15