ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability

[robkraus () solutionary com]

Title: ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability
Risk (CVSS2 Base Score): High (7.8)
Solutionary ID: SERT-VDN-1000 
CVE ID: Pending
Solutionary Disclosure URL: 
http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-Eventlog-Analyzer-Syslog-Renite-DoS-vuln.html

Product: ManageEngine EventLog Analyzer version 6.1
Application Vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/

Date discovered: 9/15/2010
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT)
Vendor notification date: 10/26/2010
Vendor response date: 11/12/2010
Vendor acknowledgment date: 12/2/2010
Vendor provided fix: No fix provided
Release coordinated with the vendor: N/A
Public disclosure date: 12/10/2010

Type of vulnerability: Denial of Service, Buffer Overflow
Exploit Vectors: Local and Remote

Vulnerability Description:  The application is vulnerable to a Denial of Service (DoS) condition due to a buffer 
overflow encountered when an attacker sends a specially crafted UDP packet to either port 514/UDP or  port 513/UDP of 
the Syslog server. The DoS condition is experienced as a result of sending a large amount of data in the Syslog PRI 
message header field. The length of data sent to the field causes the application to stop responding and terminates the 
“SysEvttCol.exe” process on the affected target. 

Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default installation.
Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous versions may also be vulnerable)

Impact: Successful exploitation of the described vulnerability will cause a DoS to legitimate users and applications. 
The DoS condition will result in the loss of centralized Syslog message collection, and may reduce the detection 
capability of the affected organization for identifying follow-on attacks and monitoring critical system messages. 
Additionally, a skilled attacker may be able to leverage the buffer overflow condition to execute arbitrary commands in 
the context of the account the application is running as.

Fixed in: No fix currently available.

Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary 
recommends upgrading the application if patches are provided to address the issue identified. Limit access to only 
those systems requiring interaction with the service to reduce available attack vectors.

Keywords: security, vulnerability, ManageEngine, syslog, dos, event, log

Solutionary, Inc. Vulnerability Disclosure Policy
http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html