ManageEngine SysLog Forwarder 1.0 Remote Denial of Service Vulnerability

Solutionary ID: SERT-VDN-1016

Risk Rating: High

CVE ID: CVE-2014-6608

Product: Syslog Forwarder 1.0

Application Vendor: ManageEngine

Vendor URL: http://www.manageengine.com/free-syslog-forwarder-tool/free-syslog-forwarder-index.html

Date discovered: 08/28/2014

Discovered by: Rob Kraus and the Solutionary Security Engineering Research Team (SERT)

Vendor notification date: 09/15/2014

Vendor response date: No Response

Vendor acknowledgment date: No Response

Public disclosure date: 11/24/2014

Type of vulnerability: Buffer Overflow - Denial of Service (DoS)

Exploit Vectors: Local and Remote

Vulnerability Description: The application encounters a Denial of Service (DoS) condition due to a buffer overflow encountered when an attacker sends a specially crafted UDP packet to the configured port (default 514/UDP) of the Syslog Forwarder server. The DoS condition is caused by sending a large amount of data in the Syslog DATE message header field. The length of data sent to the field causes the application to stop responding and terminates the “SyslogForwarder.exe” process on the affected target.

Tested on: Windows XP, SP3, with SysLog Forwarder version 1.0 default installation.

Affected software versions: 1.0

Impact: Successful exploitation of the described vulnerability will cause a DoS to legitimate users and applications. The DoS condition will result in the loss of Syslog message forwarding capabilities, and may reduce the visibility to critical system and security messages. An attacker may be able to leverage the buffer overflow condition to execute arbitrary commands in the context of the account it is running as.

Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary recommends upgrading the application if patches are made to address the issue identified. Limit access to only those systems that need to interact with the service to reduce available attack vectors.