Vulnerabilities > CVE-2008-5110 - Unspecified vulnerability in Oneidentity Syslog-Ng
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. This flaw affects syslog-ng versions prior to and including 2.0.9.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2008-10879.NASL description Fixes CVE-2008-5110 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36373 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36373 title Fedora 10 : syslog-ng-2.0.10-1.fc10 (2008-10879) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2008-10879. # include("compat.inc"); if (description) { script_id(36373); script_version ("1.12"); script_cvs_date("Date: 2019/08/02 13:32:26"); script_cve_id("CVE-2008-5110"); script_xref(name:"FEDORA", value:"2008-10879"); script_name(english:"Fedora 10 : syslog-ng-2.0.10-1.fc10 (2008-10879)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fixes CVE-2008-5110 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=471984" ); # https://lists.fedoraproject.org/pipermail/package-announce/2008-December/017307.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?89990ede" ); script_set_attribute( attribute:"solution", value:"Update the affected syslog-ng package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:syslog-ng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"syslog-ng-2.0.10-1.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "syslog-ng"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_75F2382EB58611DD95F900E0815B8DA8.NASL description Florian Grandel reports : I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail last seen 2020-06-01 modified 2020-06-02 plugin id 34816 published 2008-11-19 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34816 title FreeBSD : syslog-ng2 -- startup directory leakage in the chroot environment (75f2382e-b586-11dd-95f9-00e0815b8da8) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200907-10.NASL description The remote host is affected by the vulnerability described in GLSA-200907-10 (Syslog-ng: Chroot escape) Florian Grandel reported that Syslog-ng does not call chdir() before chroot() which leads to an inherited file descriptor to the current working directory. Impact : A local attacker might exploit a separate vulnerability in Syslog-ng and use this vulnerability to escape the chroot jail. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 39781 published 2009-07-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39781 title GLSA-200907-10 : Syslog-ng: Chroot escape NASL family Fedora Local Security Checks NASL id FEDORA_2008-10752.NASL description Fixes CVE-2008-5110 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35045 published 2008-12-08 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35045 title Fedora 9 : syslog-ng-2.0.10-1.fc9 (2008-10752) NASL family Fedora Local Security Checks NASL id FEDORA_2008-10920.NASL description Fixes CVE-2008-5110 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35049 published 2008-12-08 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35049 title Fedora 8 : syslog-ng-2.0.10-1.fc8 (2008-10920)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505791
- http://www.openwall.com/lists/oss-security/2008/11/17/3
- http://secunia.com/advisories/35748
- http://security.gentoo.org/glsa/glsa-200907-10.xml
- http://secunia.com/advisories/40551
- http://www.vupen.com/english/advisories/2010/1796
- http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083