Re: [logs] WinSyslog Long Syslog Message Denial of Service

From: Rainer Gerhards (rgerhards@private)
Date: Tue Oct 21 2003 - 02:51:48 PDT

  • Next message: Tina Bird: "[logs] firewall logging and rulesets"

    On Sat, 2003-10-18 at 18:18, Andrew Sturman wrote:
    > Just in case you haven't seen it.
    Looks like this calls me ;-)
    Actually, this security bulletin is not very well researched. We worked
    with Noam Rathaus of on this issue. We passed him
    complete information, including the vulnerable versions and fix.
    Unfortunately, none of that went into the advisory.
    Please visit
    For the full details.
    A short breakdown: Interactive Server, a debugging and interactive
    troubleshooting tool, included in WinSyslog  and MonitorWare Agent, has
    a vulnerability in it. All versions downloaded prior to 2003-09-16 have
    the vulnerable component. Noam claimed that this vulnerability can lead
    to an operating system DoS, but we were never able to reproduce this -
    but of course I can not outrule it. Play safe, install the patch.
    The core issue is that we hand over the data to a Microsoft Grid
    Control, which in turn experiences the the performance issues that lead
    to DoS of the Interactive Server. It is fixed by limiting the amount of
    data that is passed over.
    As a side note: if you run Interactive Server for serious logging needs,
    please reconsider your decision. It was never designed for this (nor do
    our samples promote this). Use the service instead. Email my privately
    if you do it and need assistance in setting up the service correctly.
    Please note that the solution proposed in the advisory does NOT work.
    The solution is to download the fix. It does not work, because:
    >Run the WinSyslog service and interactive syslog server on the same
    >system and make sure that the interactive syslog server only binds to
    >the localhost ( interface.
    WinSyslog Interactive Server can not be configured to listen to, only (looking at the menu options would have showed that ;-))
    >In infrastructures where the WinSyslog service and the interactive
    >syslog server is required to be on two separate systems, they should be
    >placed on their own network with a filtering device in front. This
    >should only allow traffic to the syslog service on port 514/udp and
    >services required for management purposes.
    >From an architectural point of view, relying on an interactive,
    non-automated process is bad design and includes many more potential
    security issues. There is no need to do this with WinSyslog, so don't do
    >NOTE: It is not sufficient to just filter traffic to port 10514/udp so
    >only traffic from trusted IPs is accepted, since UDP traffic is easily
    This is true, but proper filtering would block the spoofed traffic
    before it enters the internal network.
    Sorry for a somewhat lengthy response. I have to admit that I was not
    very delighted by the advisory. Not because it is there - I believe in
    full disclosure and information sharing - but because of the poor
    quality it has *even after talking to one of the researches* (and yes, I
    have records of those conversations ;)).
    Back to log analysis... (any flames please privately).
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:04:17 PDT