Security Best Practice: Blocking Syslog-Related Vulnerabilities
| Check Point Reference: | SBP-2007-02 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Industry Reference(s): | CVE-2006-3838 CVE-1999-0063 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? | ||
| Vulnerability Description The Syslog protocol is used for the transmission of event notification messages across networks. SYSLOG is subjected to multiple attacks including message length related attacks, such as buffer overflow attacks and null message attacks. Such attacks will attempt to target vulnerabilities in the input validation methods of Syslog servers and relays, thus making the length validation and limitation crucial to the security of Syslog servers. Additional attacks on Syslog servers include attacks seeking to exploit the absence of proper content screening, and rather flexible allowed format of a Syslog message. Such attacks may hide malicious code or format string characters in the body of a Syslog message. |
||
|
Vulnerability Details SmartDefense offers several preemptive protections against Syslog related vulnerabilities: Syslog Relay Servers List - It is possible to have event message relays, or Syslog relays, that receive messages, and route them to Syslog servers. This protection enables you to manually add and remove network objects from the Syslog relays list. Block Message Length Violations - Syslog messages are usually several Kilobytes long, while longer messages are uncommon. Some Syslog servers are vulnerable to a buffer overrun when dealing with very long messages. In addition, numerous zero length messages on the network may pose a denial of service attack. By enabling the protection, SmartDefense will block Zero-Length messages, and messages that are overly long. Apply Malicious Code Protector (MCP) for Syslog - By formatting special strings that contain assembler code, an attacker can create a memory corruption that can cause a server to crash or even run arbitrary code. Buffer overflow attacks can be performed using any space where user input is expected. This protection analyzes the Syslog message body by disassembling machine code. It assesses the danger, and allows or rejects connections accordingly. Block Non-Standard Source Ports - A Syslog message originating from a source port other than UDP/514 may indicate that it was generated by a process other than Syslog. This free choice of source port may be used by attackers to forge or spoof Syslog messages against some Syslog implementations. By enabling this protection, SmartDefense will detect and block Syslog messages that have a source port other than UDP/514. Enforce PRIORITY Field Violations - Syslog messages with malformed PRI fields can be used by attackers to exploit vulnerabilities in Syslog implementations using malformed PRIORITY values. This may lead to a buffer overflow or a denial of service condition. By enabling the protection, SmartDefense will detect and block Syslog messages that have a malformed or missing PRI field. Enforce TIMESTAMP Field Violations for Relays - Messages originating from a Syslog relay must contain a time stamp in the HEADER part. Syslog messages with a malformed TIMESTAMP field can be used by attackers to exploit vulnerabilities in Syslog implementations, using malformed TIMESTAMP values. This may lead to buffer overflow or a denial of service conditions. By enabling the protection, SmartDefense will detect and block Syslog messages from relays, that have a malformed or missing TIMESTAMP field. |
Protection Overview
SmartDefense offers several preemptive protections against Syslog related vulnerabilities. The protections allow you to detect and block Syslog messages that have a malformed or missing PRI and TIMESTAMP fields, to manually add or remove network objects from the Syslog relays list, to block Zero-Length messages, messages that are overly long and more.
In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Syslog.
2. Select the protection of your choice:
Syslog Relay Servers List
Block Message Length Violations
Apply Malicious Code Protector (MCP) for Syslog
Block Non-Standard Source Ports
Enforce PRIORITY Field Violations
Enforce TIMESTAMP Field Violations in Relays
3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Syslog Protocol Violation
Attack Information:
System message exceeds length limit
Empty Syslog message (0 bytes)
Attack Name: Syslog Protocol Violation
Attack Information:
Malformed Syslog Priority field detected
Syslog Priority Field missing
Attack Name: Syslog Protocol Violation
Attack Information: The source port of a Syslog message is not UDP/514
Attack Name: Syslog Protocol Violation
Attack Information:
Malformed Syslog Timestamp field detected
Syslog Timestamp field missing
Attack Name: Syslog Protocol Violation
Attack Information: Malicious code detected in Syslog message
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Syslog.
2. Enable the following protections:
Block Message Length Violations
Apply Malicious Code Protector (MCP) for Syslog
Block Non-Standard Source Ports
Enforce PRIORITY Field Violations
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Syslog Protocol Violation
Attack Information:
System message exceeds length limit
Empty Syslog message (0 bytes)
Attack Name: Syslog Protocol Violation
Attack Information:
Malformed Syslog Priority field detected
Syslog Priority Field missing
Attack Name: Syslog Protocol Violation
Attack Information: The source port of a Syslog message is not UDP/514
Attack Name: Syslog Protocol Violation
Attack Information: Malicious code detected in Syslog message
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Syslog.
3. Enable the following protections:
Syslog Relay Servers List
Block Message Length Violations
Apply Malicious Code Protector (MCP) for Syslog
Block Non-Standard Source Ports
Enforce PRIORITY Field Violations
Enforce TIMESTAMP Field Violations in Relays
4. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Syslog Protocol Violation
Attack Information:
System message exceeds length limit
Empty Syslog message (0 bytes)
Attack Name: Syslog Protocol Violation
Attack Information:
Malformed Syslog Priority field detected
Syslog Priority Field missing
Attack Name: Syslog Protocol Violation
Attack Information: The source port of a Syslog message is not UDP/514
Attack Name: Syslog Protocol Violation
Attack Information:
Malformed Syslog Timestamp field detected
Syslog Timestamp field missing
Attack Name: Syslog Protocol Violation
Attack Information: Malicious code detected in Syslog message