[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability
From: robkraus@xxxxxxxxxxxxxxx
Date: Fri, 10 Dec 2010 07:06:14 -0700

Title: ManageEngine EventLog Analyzer Syslog Remote Denial of Service 
Vulnerability
Risk (CVSS2 Base Score): High (7.8)
Solutionary ID: SERT-VDN-1000 
CVE ID: Pending
Solutionary Disclosure URL: 
http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-Eventlog-Analyzer-Syslog-Renite-DoS-vuln.html

Product: ManageEngine EventLog Analyzer version 6.1
Application Vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/

Date discovered: 9/15/2010
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research 
Team (SERT)
Vendor notification date: 10/26/2010
Vendor response date: 11/12/2010
Vendor acknowledgment date: 12/2/2010
Vendor provided fix: No fix provided
Release coordinated with the vendor: N/A
Public disclosure date: 12/10/2010

Type of vulnerability: Denial of Service, Buffer Overflow
Exploit Vectors: Local and Remote

Vulnerability Description:  The application is vulnerable to a Denial of 
Service (DoS) condition due to a buffer overflow encountered when an attacker 
sends a specially crafted UDP packet to either port 514/UDP or  port 513/UDP of 
the Syslog server. The DoS condition is experienced as a result of sending a 
large amount of data in the Syslog PRI message header field. The length of data 
sent to the field causes the application to stop responding and terminates the 
?SysEvttCol.exe? process on the affected target. 

Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default 
installation.
Affected software versions: ManageEngine EventLog Analyzer version 6.1 
(previous versions may also be vulnerable)

Impact: Successful exploitation of the described vulnerability will cause a DoS 
to legitimate users and applications. The DoS condition will result in the loss 
of centralized Syslog message collection, and may reduce the detection 
capability of the affected organization for identifying follow-on attacks and 
monitoring critical system messages. Additionally, a skilled attacker may be 
able to leverage the buffer overflow condition to execute arbitrary commands in 
the context of the account the application is running as.

Fixed in: No fix currently available.

Remediation guidelines: The vendor has not provided any remediation guidelines 
to address this issue. Solutionary recommends upgrading the application if 
patches are provided to address the issue identified. Limit access to only 
those systems requiring interaction with the service to reduce available attack 
vectors.

Keywords: security, vulnerability, ManageEngine, syslog, dos, event, log

Solutionary, Inc. Vulnerability Disclosure Policy
http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html

Prev by Date: ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities
Next by Date: [SECURITY] [DSA-2131-1] New exim4 packages fix remote code execution
Previous by thread: ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities
Next by thread: [SECURITY] [DSA-2131-1] New exim4 packages fix remote code execution
Index(es):
- Date
- Thread