Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Remotely kill Solaris syslogdAndrew Reynhout (reynhoutQUESERA.COM)
Tue, 21 Oct 1997 12:17:38 -0400
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: lb: "Responses to syslogd killing"
- Previous message: Chris Wilson: "Re: remotely kill solaris syslogd"
- In reply to: lb - STAFF: "Remotely kill Solaris syslogd"
We've run into the same issue, and Sun has known about it since April. There is a patch, 103738-04, which fixes this (and other) problems. It is **NOT** a recommended or a security patch, nor is it available from the public area of sunsolve. It clearly should be. There are many installations where syslogd is a critical part of the security/monitoring infrastructure. There are even some where REMOTE syslogging is critical. It is a terrible choice, but many times the only one available. I'd recommend using Paul Vixie's syslogd, or at least filtering 514/udp. It won't solve syslogd's spoofing problems, but at least messages won't disappear. (From the README.103738-04:) >Patch-ID# 103738-04 >Keywords: syslogd core lookup EUC ja 8-bit limit >Synopsis: SunOS 5.5.1: /usr/sbin/syslogd patch >Date: Oct/03/97 >Xref: This patch available for x86 as patch 103739 >... >Problem Description: >... >(from 103738-01) >1249320 *syslogd* syslog is dying randomly in Solaris 2.5, leaves core files. Andrew lb - STAFF writes: > It seems that I've stumbled upon a bug which must have been discovered > but never disclosed, I find it hard to believe noone has found this. After > searching the bugtraq archives and the publicly available patches from > Sun I am still under the impression that this hasn't been released until > now. > > When Solaris syslogd receives an external message it attempts to do > a DNS lookup on the source IP. Many times, if this IP doesn't match a > DNS record then syslogd will crash with a Seg Fault. I have not had > time to diagnose completely how dangerous this is, as I didn't feel like > spending time debugging DNS packets, but at the very least it will disable > logging on the target machine. It also turns out that depending on the > source IP, syslogd will either Seg Fault or Bus Error which leads me > to believe this could be most harmful. > > This has been tested on Solaris 2.5 and 2.5.1 for both Sparc and x86 with > full patches. Solaris 2.6 Sparc does not appear to be vulnerable. > > The only solution at the moment (because I know of no way to disable > remote logging under Solaris) is to filter off udp port 514 whenever > possible and perhaps to respawn syslogd from inittab. > > If this is an old bug, well the patch shoulda been included in Sun's > recommended security patches. If not, as it says, your milage may vary. > > (Is there anyone left who isn't a security consultant?)