CVE-2018-1000140

Q: What is the severity of CVE-2018-1000140?

CVE-2018-1000140 has a CVSS score of 9.8 (CRITICAL). A stack buffer overflow vulnerability in rsyslog's librelp library allows remote code execution when processing malicious x509 certificates. Attackers can exploit this by connecting to rsyslog and sending a specially crafted certificate. Systems using rsyslog with librelp version 1.2.14 or earlier are affected.

9.8 CRITICAL

Remote Code Execution Buffer Overflow

📋 TL;DR

A stack buffer overflow vulnerability in rsyslog's librelp library allows remote code execution when processing malicious x509 certificates. Attackers can exploit this by connecting to rsyslog and sending a specially crafted certificate. Systems using rsyslog with librelp version 1.2.14 or earlier are affected.

💻 Affected Systems

Products:

rsyslog with librelp
librelp library

Versions: librelp version 1.2.14 and earlier

Operating Systems: Linux distributions including RHEL, CentOS, Ubuntu, Debian

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using RELP protocol for log forwarding. Default rsyslog configurations may not use RELP.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full control of the rsyslog server, potentially compromising the entire logging infrastructure and using it as a foothold for lateral movement.

🟠

Likely Case

Remote code execution leading to system compromise, data exfiltration, or deployment of malware/ransomware.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized connections to rsyslog.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists in Packet Storm. Exploitation requires network access to rsyslog RELP port (default 20514).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: librelp 1.2.15 and later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2018:1223

Restart Required: Yes

Instructions:

1. Update librelp package to version 1.2.15 or later. 2. For RHEL/CentOS: yum update librelp. 3. For Debian/Ubuntu: apt-get update && apt-get install librelp. 4. Restart rsyslog service: systemctl restart rsyslog

🔧 Temporary Workarounds

Disable RELP protocol

linux

If RELP protocol is not required, disable it to prevent exploitation.

Comment out or remove RELP configuration lines in /etc/rsyslog.conf and /etc/rsyslog.d/*.conf
Restart rsyslog: systemctl restart rsyslog

Network access control

linux

Restrict network access to rsyslog RELP port using firewall rules.

iptables -A INPUT -p tcp --dport 20514 -j DROP
firewall-cmd --permanent --remove-port=20514/tcp
firewall-cmd --reload

🧯 If You Can't Patch

Implement strict network segmentation to isolate rsyslog servers from untrusted networks
Use host-based firewalls to restrict access to rsyslog RELP port (20514) only from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check librelp version: rpm -q librelp or dpkg -l | grep librelp. If version is 1.2.14 or earlier, system is vulnerable.

Check Version:

rpm -q librelp 2>/dev/null || dpkg -l | grep librelp

Verify Fix Applied:

Verify librelp version is 1.2.15 or later: rpm -q librelp | grep 1.2.1[5-9]

📡 Detection & Monitoring

Log Indicators:

Unexpected connections to rsyslog RELP port
Rsyslog process crashes or abnormal behavior
Failed certificate validation errors

Network Indicators:

Unusual network traffic to port 20514
Large or malformed certificate data sent to rsyslog

SIEM Query:

source="rsyslog" AND ("certificate" OR "RELP") AND ("error" OR "failed" OR "crash")

📊 Metadata

CVE ID: CVE-2018-1000140

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 23, 2018

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/172829/librelp-Remote-Code-Execution.html
https://access.redhat.com/errata/RHSA-2018:1223 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1225 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1701 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1702 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1703 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1704 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1707 Third Party Advisory
https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205 Patch,Third Party Advisory
https://lgtm.com/rules/1505913226124/ Exploit,Third Party Advisory
https://security.gentoo.org/glsa/201804-21 Third Party Advisory
https://usn.ubuntu.com/3612-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4151 Third Party Advisory
http://packetstormsecurity.com/files/172829/librelp-Remote-Code-Execution.html
https://access.redhat.com/errata/RHSA-2018:1223 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1225 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1701 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1702 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1703 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1704 Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1707 Third Party Advisory
https://github.com/rsyslog/librelp/blob/532aa362f0f7a8d037505b0a27a1df452f9bac9e/src/tcp.c#L1205 Patch,Third Party Advisory
https://lgtm.com/rules/1505913226124/ Exploit,Third Party Advisory
https://security.gentoo.org/glsa/201804-21 Third Party Advisory
https://usn.ubuntu.com/3612-1/ Third Party Advisory
https://www.debian.org/security/2018/dsa-4151 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux Desktop by Redhat

Enterprise Linux Desktop by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Workstation by Redhat

Enterprise Linux Workstation by Redhat

Librelp by Rsyslog

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RELP protocol

Network access control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities