Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25293
HistoryDec 12, 2010 - 12:00 a.m.

ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability

2010-12-1200:00:00
vulners.com
57
denial of service
buffer overflow
vulnerability
manageengine
syslog
exploit
windows xp
impact
remediation
solutionary

Title: ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability
Risk (CVSS2 Base Score): High (7.8)
Solutionary ID: SERT-VDN-1000
CVE ID: Pending
Solutionary Disclosure URL:
http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-Eventlog-Analyzer-Syslog-Renite-DoS-vuln.html

Product: ManageEngine EventLog Analyzer version 6.1
Application Vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/

Date discovered: 9/15/2010
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research
Team (SERT)
Vendor notification date: 10/26/2010
Vendor response date: 11/12/2010
Vendor acknowledgment date: 12/2/2010
Vendor provided fix: No fix provided
Release coordinated with the vendor: N/A
Public disclosure date: 12/10/2010

Type of vulnerability: Denial of Service, Buffer Overflow
Exploit Vectors: Local and Remote

Vulnerability Description: The application is vulnerable to a Denial of Service
(DoS) condition due to a buffer overflow encountered when an attacker sends a
specially crafted UDP packet to either port 514/UDP or port 513/UDP of the Syslog
server. The DoS condition is experienced as a result of sending a large amount of
data in the Syslog PRI message header field. The length of data sent to the field
causes the application to stop responding and terminates the “SysEvttCol.exe”
process on the affected target.

Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default
installation.
Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous
versions may also be vulnerable)

Impact: Successful exploitation of the described vulnerability will cause a DoS to
legitimate users and applications. The DoS condition will result in the loss of
centralized Syslog message collection, and may reduce the detection capability of
the affected organization for identifying follow-on attacks and monitoring critical
system messages. Additionally, a skilled attacker may be able to leverage the
buffer overflow condition to execute arbitrary commands in the context of the
account the application is running as.

Fixed in: No fix currently available.

Remediation guidelines: The vendor has not provided any remediation guidelines to
address this issue. Solutionary recommends upgrading the application if patches are
provided to address the issue identified. Limit access to only those systems
requiring interaction with the service to reduce available attack vectors.

Keywords: security, vulnerability, ManageEngine, syslog, dos, event, log

Solutionary, Inc. Vulnerability Disclosure Policy
http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html