CVE-2022-24903
📋 TL;DR
Rsyslog's TCP syslog reception modules contain a heap buffer overflow vulnerability when octet-counted framing is used. This can cause segmentation faults or system malfunctions, with potential for remote code execution in expert hands. Systems running vulnerable Rsyslog versions with TCP reception modules exposed are affected.
💻 Affected Systems
- Rsyslog
📦 What is this software?
Fedora by Fedoraproject
Rsyslog by Rsyslog
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though this is considered highly complex and unlikely according to the advisory.
Likely Case
Denial of service through segmentation faults or system crashes when processing malformed octet-counted syslog messages.
If Mitigated
Minimal impact if TCP reception modules are not exposed to untrusted networks and octet-counted framing is disabled.
🎯 Exploit Status
The advisory states remote exploits are 'impossible or at least highly complex' due to buffer limitations once digit sequence stops. No public exploits have been reported.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions containing commit f211042ecbb472f9d8beb4678a65d272b6f07705
Vendor Advisory: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8
Restart Required: Yes
Instructions:
1. Update Rsyslog to patched version via package manager. 2. For Debian: apt update && apt upgrade rsyslog. 3. For Fedora: dnf update rsyslog. 4. Restart Rsyslog service: systemctl restart rsyslog
🔧 Temporary Workarounds
Disable octet-counted framing
linuxTurn off octet-counted framing in vulnerable modules if not needed
Edit Rsyslog configuration to add: $InputTCPServerRun 10514 \n $InputTCPServerInputName imtcp \n $InputTCPServerOctetCountedFraming off
Restrict network exposure
linuxEnsure TCP reception modules are not exposed to untrusted networks
Configure firewall to restrict access to Rsyslog TCP ports (typically 514, 10514)
iptables -A INPUT -p tcp --dport 514 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 514 -j DROP
🧯 If You Can't Patch
- Disable octet-counted framing in all TCP reception modules
- Implement network segmentation to isolate Rsyslog servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Rsyslog version and verify if it contains the vulnerable commit: rsyslogd -v | grep versionCheck Version:
rsyslogd -v | grep versionVerify Fix Applied:
Verify version is updated and check configuration for octet-counted framing settings📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in system logs
- Rsyslog process crashes or restarts
- Unusual octet-counted framing messages
Network Indicators:
- Malformed TCP syslog packets with octet-counted framing
- Connection attempts to Rsyslog TCP ports from untrusted sources
SIEM Query:
source="rsyslog" AND ("segmentation fault" OR "crash" OR "restart")🔗 References
- https://github.com/rsyslog/rsyslog/commit/f211042ecbb472f9d8beb4678a65d272b6f07705
- https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8
- https://lists.debian.org/debian-lts-announce/2022/05/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMNNXLCU2UORRVSZO24HL4KMVPK5PHVW/
- https://security.netapp.com/advisory/ntap-20221111-0002/
- https://www.debian.org/security/2022/dsa-5150
- https://github.com/rsyslog/rsyslog/commit/f211042ecbb472f9d8beb4678a65d272b6f07705
- https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8
- https://lists.debian.org/debian-lts-announce/2022/05/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMNNXLCU2UORRVSZO24HL4KMVPK5PHVW/
- https://security.netapp.com/advisory/ntap-20221111-0002/
- https://www.debian.org/security/2022/dsa-5150
