CVE-2022-24903 : Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog recep

Rsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.

Published 2022-05-06 00:15:08

Updated 2023-06-23 19:43:17

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowInput validationExecute code

Products affected by CVE-2022-24903

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Rsyslog » Rsyslog
Versions before (<) 8.2204.1
cpe:2.3:a:rsyslog:rsyslog:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24903

EPSS FAQ

1.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 76 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24903

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-24903

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Assigned by: security-advisories@github.com (Secondary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Secondary)
CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-24903

https://www.debian.org/security/2022/dsa-5150

Debian -- Security Information -- DSA-5150-1 rsyslog
Third Party Advisory
https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8

Potential heap buffer overflow in TCP syslog server (receiver) components · Advisory · rsyslog/rsyslog · GitHub
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00028.html

[SECURITY] [DLA 3016-1] rsyslog security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20221111-0002/

CVE-2022-24903 Rsyslog Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://github.com/rsyslog/rsyslog/commit/f211042ecbb472f9d8beb4678a65d272b6f07705

Merge pull request from GHSA-ggw7-xr6h-mmr8 · rsyslog/rsyslog@f211042 · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMNNXLCU2UORRVSZO24HL4KMVPK5PHVW/

[SECURITY] Fedora 35 Update: rsyslog-8.2204.0-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-24903

Products affected by CVE-2022-24903

Exploit prediction scoring system (EPSS) score for CVE-2022-24903

CVSS scores for CVE-2022-24903

CWE ids for CVE-2022-24903

References for CVE-2022-24903