Title: ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability Risk (CVSS2 Base Score): High (7.8) Solutionary ID: SERT-VDN-1000 CVE ID: Pending Solutionary Disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-Eventlog-Analyzer-Syslog-Renite-DoS-vuln.html Product: ManageEngine EventLog Analyzer version 6.1 Application Vendor: ManageEngine Vendor URL: http://www.manageengine.com/products/eventlog/ Date discovered: 9/15/2010 Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT) Vendor notification date: 10/26/2010 Vendor response date: 11/12/2010 Vendor acknowledgment date: 12/2/2010 Vendor provided fix: No fix provided Release coordinated with the vendor: N/A Public disclosure date: 12/10/2010 Type of vulnerability: Denial of Service, Buffer Overflow Exploit Vectors: Local and Remote Vulnerability Description: The application is vulnerable to a Denial of Service (DoS) condition due to a buffer overflow encountered when an attacker sends a specially crafted UDP packet to either port 514/UDP or port 513/UDP of the Syslog server. The DoS condition is experienced as a result of sending a large amount of data in the Syslog PRI message header field. The length of data sent to the field causes the application to stop responding and terminates the ?SysEvttCol.exe? process on the affected target. Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default installation. Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous versions may also be vulnerable) Impact: Successful exploitation of the described vulnerability will cause a DoS to legitimate users and applications. The DoS condition will result in the loss of centralized Syslog message collection, and may reduce the detection capability of the affected organization for identifying follow-on attacks and monitoring critical system messages. Additionally, a skilled attacker may be able to leverage the buffer overflow condition to execute arbitrary commands in the context of the account the application is running as. Fixed in: No fix currently available. Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary recommends upgrading the application if patches are provided to address the issue identified. Limit access to only those systems requiring interaction with the service to reduce available attack vectors. Keywords: security, vulnerability, ManageEngine, syslog, dos, event, log Solutionary, Inc. Vulnerability Disclosure Policy http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html
