Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 191

Summary: Syslogd Vulnerable
Product: [Retired] Red Hat Linux Reporter: jay
Component: sysklogdAssignee: Preston Brown <pbrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1998-11-25 15:01:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description jay 1998-11-25 01:59:22 UTC
As near as I can tell, syslog 1.3-3 as included in Redhat
5.0 has a vulnerability.
Today, Nov 24 at 13:52 I did a 'tail -f ' of /var/log
messages and recieved
several lines up to and including the following.

Nov 22 21:39:52 texnet identd[29833]: Successful lookup:
29493 , 25 :root.root
Nov 22 21:40:06 texnet identd[29834]: from: (
dingo1 ) for:29554, 25
Nov 22 21:40:06 texnet identd[29834]: Successful lookup:
29554 , 25 :root.root

It seemed very suspicious that the last message was two days

Then I did a killall -HUP syslogd and the following content

Nov 22 21:49:39 texnet syslogd: Cannot glue message parts
Nov 22 21:49:39 texnet
Nov 22 21:50:18 texnet named[1590]: secondary zone
"" expired
Nov 22 21:50:46 texnet named[1590]: Err/TO getting serial#
for ""
Nov 22 21:51:42 texnet identd[29870]: Successful lookup:
29746 , 21 :
Nov 24 13:40:43 texnet syslogd 1.3-3: restart.
Nov 24 13:44:05 texnet named[1590]: Err/TO getting serial#
for ""
Nov 24 13:52:08 texnet identd[12154]: from: ( )
for: 4156, 25
Nov 24 13:52:08 texnet identd[12154]: Successful lookup:
4156 , 25 :
Nov 24 14:07:02 texnet identd[12222]: from:
( ) for: 4166, 25

At the same time my system has been compromised.  It would
appear that the bogus message sent to syslog caused it to
puke, but stay resident (in sleep state) , so my usual
checks appeared to be successful, with no anomalies. The
cracker then had two days of unlogged access to
do other tasks.  I believe he use the NFS hole to get in.

With the kill of syslogd then he could sign in and not have
the connection source logged.  I've turned off password to
ssh and turned off all but pop3 and ftp access, but I think
I need some help and pointers on securing this system.

Comment 1 Aleksey Nogin 1998-11-25 07:03:59 UTC
You should consider subscribing to redhat-watch-list or
There was a security update of sysklogd RPM about a week ago...

Comment 2 Preston Brown 1998-11-25 15:01:59 UTC
fixed by an errata release.  Please check out
before posting bugs.