ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability

Solutionary ID: SERT-VDN-1000

Risk Rating: High

CVE ID: CVE-2010-4840

Product: ManageEngine EventLog Analyzer version 6.1

Application Vendor: ManageEngine

Vendor URL: http://www.manageengine.com/products/eventlog/

Date discovered: 9/15/2010

Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT)

Vendor notification date: 10/26/2010

Vendor response date: 11/12/2010

Vendor acknowledgment date: 12/2/2010

Public disclosure date: 12/10/2010

Type of vulnerability: Denial of Service, Buffer Overflow

Exploit Vectors: Local and Remote

Vulnerability Description: The application encounters a Denial of Service (DoS) condition due to a buffer overflow encountered when an attacker sends a specially crafted UDP packet to either port 514/UDP or 513/UDP of the Syslog server. The DoS condition is caused by sending a large amount of data in the Syslog PRI message header field. The length of data sent to the field causes the application to stop responding and terminates the “SysEvttCol.exe” process on the affected target.

Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default installation. Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous versions may also be vulnerable)

Impact: Successful exploitation of the described vulnerability will cause a DoS to legitimate users and applications. The DoS condition will result in the loss of centralized Syslog message collection, and may reduce the detection capability of the affected organization for identifying follow-on attacks and monitoring critical system messages. Additionally, a skilled attacker may be able to leverage the buffer overflow condition to execute arbitrary commands in the context of the account the application is running as.

Fixed in: No fix currently available. Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary recommends upgrading the application if patches are made to address the issue identified. Limit access to only those systems that need to interact with the service to reduce available attack vectors.