CVE-2024-47619
📋 TL;DR
This vulnerability in syslog-ng's TLS certificate validation allows improper wildcard matching patterns like 'foo.*.bar' and 'foo.a*c.bar' that should be rejected. Attackers could exploit this to perform man-in-the-middle attacks against TLS connections. All syslog-ng installations prior to version 4.8.2 using TLS certificate validation are affected.
💻 Affected Systems
- syslog-ng
📦 What is this software?
Syslog Ng by Oneidentity
⚠️ Risk & Real-World Impact
Worst Case
Successful man-in-the-middle attack allowing interception, modification, or injection of log data in transit, potentially leading to data leakage or log manipulation.
Likely Case
Certificate validation bypass enabling unauthorized connections to syslog-ng servers, compromising log integrity and confidentiality.
If Mitigated
Limited impact if proper network segmentation and certificate pinning are implemented alongside the patch.
🎯 Exploit Status
Exploitation requires ability to intercept TLS traffic and craft malicious certificates matching the vulnerable wildcard patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.2
Vendor Advisory: https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update syslog-ng to version 4.8.2 or later using your package manager. 3. Restart the syslog-ng service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable TLS wildcard certificate matching
linuxConfigure syslog-ng to use exact certificate matching instead of wildcard patterns
Edit syslog-ng configuration to remove wildcard patterns from tls() options
Use certificate pinning
linuxConfigure syslog-ng to pin specific certificates rather than using wildcard validation
Set tls(peer-verify(required-trusted) ca-dir('/path/to/certs')) in configuration
🧯 If You Can't Patch
- Implement network segmentation to isolate syslog-ng traffic from untrusted networks
- Use VPN or encrypted tunnels for all syslog-ng communications instead of direct TLS
🔍 How to Verify
Check if Vulnerable:
Check syslog-ng version and verify if TLS with wildcard certificate validation is configuredCheck Version:
syslog-ng --versionVerify Fix Applied:
Confirm syslog-ng version is 4.8.2 or later and test TLS connections with invalid wildcard patterns📡 Detection & Monitoring
Log Indicators:
- Unexpected TLS connection successes with unusual certificate patterns
- Certificate validation warnings or errors in syslog-ng logs
Network Indicators:
- Unusual TLS handshake patterns
- Connections from unexpected sources to syslog-ng TLS ports
SIEM Query:
source="syslog-ng" AND ("tls" OR "certificate") AND ("wildcard" OR "validation" OR "bypass")🔗 References
- https://github.com/syslog-ng/syslog-ng/blob/b0ccc8952d333fbc2d97e51fddc0b569a15e7a7d/lib/transport/tls-verifier.c#L78-L110
- https://github.com/syslog-ng/syslog-ng/commit/dadfdbecde5bfe710b0a6ee5699f96926b3f9006
- https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2
- https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg
- https://lists.debian.org/debian-lts-announce/2025/05/msg00034.html
- https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg
