Bug 1199061 (CVE-2022-24903)

Summary: VUL-0: CVE-2022-24903: rsyslog: potential heap buffer overflow in modules for TCP syslog reception
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: abergmann, Andreas.Stieger, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/330427/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1206201
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1550:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2022-24903:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 17 Robert Frohl 2022-05-05 12:57:27 UTC 
oss-security:

Severity: High | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

This is a worst case rating. When syslog best practices are applied
(no Internet access to rsyslog receivers) the severity is lower.
Details below.

Advisory: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243

Advisory content:

### Impact
Modules for TCP syslog reception have a heap buffer overflow when
octet-counted framing is used. The attacker can corrupt heap values,
leading to data integrity issues and availability impact. Remote code
execution is unlikely to happen but not impossible.

### Affected modules
* `imtcp`
* `imptcp`
* `imhttp` (contributed module)
* `imgssapi` (long-term semi-contributed module)
* `imdiag`

### Details
The bug occurs when the octet count is read. While there is a check
for the maximum number of octets, digits are written to a heap buffer
even when the octet count is over the maximum, This can be used to
overrun the memory buffer. This can also be used to corrupt other heap
buffers. Once the sequence of digits stop, no additional characters
can be added to the buffer. In our opinion, this makes remote exploits
impossible or at least highly complex.

Octet-counted framing is one of two potential framing modes. It is
relatively uncommon, but enabled by default on receivers.

Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for
regular syslog message reception. It is best practice not to directly
expose them to the public. When this practice is followed, the risk is
considerably lower.

Module `imdiag` is a diagnostics module primarily intended for
testbench runs. We do not expect it to be present on any production
installation.

### Patches
The patch is available via commit ID [PUT HERE].

### Workarounds
Octet-counted framing is not very common. Usually, it needs to be
specifically enabled at senders. If users do not need it, they can
turn it off for the most important modules. This will mitigate the
vulnerability. How to do this depends on the module:

* For `imtcp`. `imptcp`, add `SupportOctetCountedFraming="off"` to the
`input()` definition.
  Docs: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html,
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html,
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imhttp.html
* For `imgssapi`octet.-counted framing cannot be turned off.
* For `imdiag` octect-counted framing cannot be turned off. However,
`imdiag` should never be present on production systems.

Note that while octet-counted framing can be disabled sending systems
have to explicitly enable it, but by default receiving systems
autodetect if it's in use. The 'normal' reason to enable it is if you
are sending logs with embedded newlines.

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [rsyslog repo](http://github.com/rsyslog)
* Post to the [rsyslog mailing
list](https://lists.adiscon.net/mailman/listinfo/rsyslog)

Credits to Peter Agten for initially reporting the issue and working
with us on the resolution.

Rainer Gerhards
Comment 18 Robert Frohl 2022-05-05 12:59:55 UTC 
(In reply to Robert Frohl from comment #17)
> oss-security:
> 
> [..]
> 
> ### Patches
> The patch is available via commit ID [PUT HERE].

https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f
Comment 20 Andreas Stieger 2022-05-08 14:09:38 UTC 
for openSUSE Tumbleweed: https://build.opensuse.org/request/show/975635
Comment 21 OBSbugzilla Bot 2022-05-08 16:40:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1199061) was mentioned in
https://build.opensuse.org/request/show/975639 Factory / rsyslog
Comment 23 Swamp Workflow Management 2022-05-09 19:17:05 UTC 
SUSE-SU-2022:1583-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1199061
CVE References: CVE-2022-24903
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Manager Server 4.1 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Manager Retail Branch Server 4.1 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Manager Proxy 4.1 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    rsyslog-8.2106.0-150200.4.26.1
SUSE Enterprise Storage 7 (src):    rsyslog-8.2106.0-150200.4.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Thomas Blume 2022-05-16 07:52:39 UTC 
update was released, bug should be good to close.
Reassigning to security-team to wrap it up.
Comment 25 Swamp Workflow Management 2022-05-23 16:20:39 UTC 
SUSE-SU-2022:1817-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1199061
CVE References: CVE-2022-24903
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise Server for SAP 15 (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise Server 15-LTSS (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    rsyslog-8.33.1-150000.3.37.1
SUSE Enterprise Storage 6 (src):    rsyslog-8.33.1-150000.3.37.1
SUSE CaaS Platform 4.0 (src):    rsyslog-8.33.1-150000.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-07-07 07:18:46 UTC 
SUSE-SU-2022:2314-1: An update that solves one vulnerability, contains one feature and has 11 fixes is now available.

Category: security (important)
Bug References: 1051798,1068678,1080238,1082318,1101642,1110456,1160414,1178288,1178490,1182653,1188039,1199061
CVE References: CVE-2022-24903
JIRA References: SLE-23304
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    rsyslog-8.2106.0-8.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-07-07 19:16:15 UTC 
SUSE-SU-2022:2331-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1199061
CVE References: CVE-2022-24903
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rsyslog-8.24.0-3.58.2
SUSE OpenStack Cloud Crowbar 8 (src):    rsyslog-8.24.0-3.58.2
SUSE OpenStack Cloud 9 (src):    rsyslog-8.24.0-3.58.2
SUSE OpenStack Cloud 8 (src):    rsyslog-8.24.0-3.58.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    rsyslog-8.24.0-3.58.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    rsyslog-8.24.0-3.58.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    rsyslog-8.24.0-3.58.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    rsyslog-8.24.0-3.58.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    rsyslog-8.24.0-3.58.2
HPE Helion Openstack 8 (src):    rsyslog-8.24.0-3.58.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2022-07-08 13:18:54 UTC 
SUSE-SU-2022:2333-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1199061
CVE References: CVE-2022-24903
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    rsyslog-8.4.0-18.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Alexander Bergmann 2022-12-08 07:28:45 UTC 
Fixed and released.