Vulnerabilities > CVE-2008-5110 - Unspecified vulnerability in Oneidentity Syslog-Ng

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
oneidentity
critical
nessus

Summary

syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. This flaw affects syslog-ng versions prior to and including 2.0.9.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10879.NASL
    descriptionFixes CVE-2008-5110 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36373
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36373
    titleFedora 10 : syslog-ng-2.0.10-1.fc10 (2008-10879)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2008-10879.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36373);
      script_version ("1.12");
      script_cvs_date("Date: 2019/08/02 13:32:26");
    
      script_cve_id("CVE-2008-5110");
      script_xref(name:"FEDORA", value:"2008-10879");
    
      script_name(english:"Fedora 10 : syslog-ng-2.0.10-1.fc10 (2008-10879)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fixes CVE-2008-5110
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=471984"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2008-December/017307.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?89990ede"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected syslog-ng package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:syslog-ng");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC10", reference:"syslog-ng-2.0.10-1.fc10")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "syslog-ng");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_75F2382EB58611DD95F900E0815B8DA8.NASL
    descriptionFlorian Grandel reports : I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail
    last seen2020-06-01
    modified2020-06-02
    plugin id34816
    published2008-11-19
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34816
    titleFreeBSD : syslog-ng2 -- startup directory leakage in the chroot environment (75f2382e-b586-11dd-95f9-00e0815b8da8)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200907-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200907-10 (Syslog-ng: Chroot escape) Florian Grandel reported that Syslog-ng does not call chdir() before chroot() which leads to an inherited file descriptor to the current working directory. Impact : A local attacker might exploit a separate vulnerability in Syslog-ng and use this vulnerability to escape the chroot jail. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id39781
    published2009-07-13
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39781
    titleGLSA-200907-10 : Syslog-ng: Chroot escape
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10752.NASL
    descriptionFixes CVE-2008-5110 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35045
    published2008-12-08
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35045
    titleFedora 9 : syslog-ng-2.0.10-1.fc9 (2008-10752)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10920.NASL
    descriptionFixes CVE-2008-5110 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35049
    published2008-12-08
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35049
    titleFedora 8 : syslog-ng-2.0.10-1.fc8 (2008-10920)