Re: Remotely kill Solaris syslogd

Andrew Reynhout (reynhout@QUESERA.COM)
Tue, 21 Oct 1997 12:17:38 -0400

We've run into the same issue, and Sun has known about it since April.
There is a patch, 103738-04, which fixes this (and other) problems.
It is **NOT** a recommended or a security patch, nor is it available
from the public area of sunsolve. It clearly should be.

There are many installations where syslogd is a critical part of the
security/monitoring infrastructure. There are even some where REMOTE
syslogging is critical. It is a terrible choice, but many times the
only one available. I'd recommend using Paul Vixie's syslogd, or at
least filtering 514/udp. It won't solve syslogd's spoofing problems,
but at least messages won't disappear.

(From the README.103738-04:)
>Patch-ID# 103738-04
>Keywords: syslogd core lookup EUC ja 8-bit limit
>Synopsis: SunOS 5.5.1: /usr/sbin/syslogd patch
>Date: Oct/03/97
>Xref: This patch available for x86 as patch 103739
>...
>Problem Description:
>...
>(from 103738-01)
>1249320 *syslogd* syslog is dying randomly in Solaris 2.5, leaves core files.

Andrew

lb - STAFF writes:
> It seems that I've stumbled upon a bug which must have been discovered
> but never disclosed, I find it hard to believe noone has found this. After
> searching the bugtraq archives and the publicly available patches from
> Sun I am still under the impression that this hasn't been released until
> now.
>
> When Solaris syslogd receives an external message it attempts to do
> a DNS lookup on the source IP. Many times, if this IP doesn't match a
> DNS record then syslogd will crash with a Seg Fault. I have not had
> time to diagnose completely how dangerous this is, as I didn't feel like
> spending time debugging DNS packets, but at the very least it will disable
> logging on the target machine. It also turns out that depending on the
> source IP, syslogd will either Seg Fault or Bus Error which leads me
> to believe this could be most harmful.
>
> This has been tested on Solaris 2.5 and 2.5.1 for both Sparc and x86 with
> full patches. Solaris 2.6 Sparc does not appear to be vulnerable.
>
> The only solution at the moment (because I know of no way to disable
> remote logging under Solaris) is to filter off udp port 514 whenever
> possible and perhaps to respawn syslogd from inittab.
>
> If this is an old bug, well the patch shoulda been included in Sun's
> recommended security patches. If not, as it says, your milage may vary.
>
> (Is there anyone left who isn't a security consultant?)