CVE-2019-17041 – CVE-2019-17041 is a critical heap overflow vuln... (How to Fix)

Q: What is the severity of CVE-2019-17041?

CVE-2019-17041 has a CVSS score of 9.8 (CRITICAL). CVE-2019-17041 is a critical heap overflow vulnerability in Rsyslog's AIX log message parser that allows remote code execution. Attackers can exploit this by sending specially crafted AIX log messages to trigger memory corruption. Any system running vulnerable Rsyslog versions with the pmaixforwardedfrom module enabled is affected.

📋 TL;DR

CVE-2019-17041 is a critical heap overflow vulnerability in Rsyslog's AIX log message parser that allows remote code execution. Attackers can exploit this by sending specially crafted AIX log messages to trigger memory corruption. Any system running vulnerable Rsyslog versions with the pmaixforwardedfrom module enabled is affected.

💻 Affected Systems

Products:

Rsyslog

Versions: v8.1908.0 and earlier versions with pmaixforwardedfrom module

Operating Systems: Linux distributions including Debian, Ubuntu, CentOS, RHEL, SUSE

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if pmaixforwardedfrom module is loaded/configured. Many default installations don't enable this module.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full system control via arbitrary code execution, potentially leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to service disruption, privilege escalation, or installation of backdoors/malware on affected systems.

🟢

If Mitigated

With proper network segmentation and exploit prevention controls, impact limited to denial of service or isolated system compromise.

🌐 Internet-Facing: HIGH - Rsyslog often receives logs from external sources, making internet-facing instances prime targets for remote exploitation.

🏢 Internal Only: MEDIUM - Internal systems could be exploited via lateral movement or compromised internal clients sending malicious logs.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending specially crafted AIX log messages to vulnerable Rsyslog instance. Public PoC available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v8.1908.1 and later

Vendor Advisory: https://github.com/rsyslog/rsyslog/pull/3884

Restart Required: Yes

Instructions:

1. Update Rsyslog to v8.1908.1 or later using package manager. 2. For Debian/Ubuntu: apt update && apt upgrade rsyslog. 3. For RHEL/CentOS: yum update rsyslog. 4. Restart Rsyslog service: systemctl restart rsyslog

🔧 Temporary Workarounds

Disable pmaixforwardedfrom module

linux

Remove or comment out pmaixforwardedfrom module loading in Rsyslog configuration

sed -i '/pmaixforwardedfrom/d' /etc/rsyslog.conf
sed -i '/module.*pmaixforwardedfrom/d' /etc/rsyslog.d/*.conf

Block external AIX log sources

linux

Configure firewall to block AIX log messages from untrusted sources

iptables -A INPUT -p tcp --dport 514 -m string --string "AIX" --algo bm -j DROP
iptables -A INPUT -p udp --dport 514 -m string --string "AIX" --algo bm -j DROP

🧯 If You Can't Patch

Disable pmaixforwardedfrom module immediately in Rsyslog configuration
Implement strict network segmentation and firewall rules to limit Rsyslog exposure to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check if pmaixforwardedfrom module is loaded: rsyslogd -N1 | grep pmaixforwardedfrom

Check Version:

rsyslogd -v | head -1

Verify Fix Applied:

Verify Rsyslog version is v8.1908.1 or later and pmaixforwardedfrom module is disabled or patched

📡 Detection & Monitoring

Log Indicators:

Unusual AIX log messages with malformed format
Rsyslog process crashes or abnormal restarts
Memory corruption errors in system logs

Network Indicators:

AIX log messages from unexpected sources
High volume of AIX-formatted logs to Rsyslog ports

SIEM Query:

source="rsyslog" AND ("pmaixforwardedfrom" OR "heap overflow" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2019-17041

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 7, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00031.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00032.html Mailing List,Third Party Advisory
https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog Release Notes,Third Party Advisory
https://github.com/rsyslog/rsyslog/pull/3884 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00030.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPNCHI7X2IEXRH6RYD6IDPR4PLB5RPC7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6SUQE25RD37CD24BHKUWMG27U5RQ2FU/
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00031.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00032.html Mailing List,Third Party Advisory
https://github.com/rsyslog/rsyslog/blob/v8-stable/ChangeLog Release Notes,Third Party Advisory
https://github.com/rsyslog/rsyslog/pull/3884 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00030.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPNCHI7X2IEXRH6RYD6IDPR4PLB5RPC7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6SUQE25RD37CD24BHKUWMG27U5RQ2FU/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17041, you might also want to check these: