Check Point Advisories

Syslog PRIORITY Field Enforcement

Check Point Reference: SBP-2007-02
Date Published: 18 Oct 2006
Severity: High
Last Updated: Monday 08 August, 2016
Protection Provided by:

Security Gateway
R81, R80, R77, R75, R71, R70, R65

Who is Vulnerable?
Vulnerability Description Syslog is a standard for transporting event notification messages over IP networks to event message collectors, or Syslog servers. Syslog is often used for system management and security auditing. Syslog servers, by default, listen on UDP port 514.Also, it is possible to have event message relays, or Syslog relays, that receive messages, and route them to Syslog servers. The full format of a Syslog message consists of three parts: PRIORITY, HEADER, and MSG. According to RFC 3164, the PRI part has one field, which consists of a leading less-than sign (<), a number, and a terminating greater-than sign (>). Syslog messages with malformed PRI fields can be used by attackers to exploit vulnerabilities in Syslog implementations using malformed PRIORITY values. This may lead to a buffer overflow or a denial of service condition.

Protection Overview

This protection will detect and block Syslog messages that have a malformed or missing PRI field.If the "Apply to messages sent from all hosts" option is selected, thenIPS will apply the protection to all Syslog messages.Otherwise, if the "Apply only to messages sent from your designated Syslog relays" option is selected, then IPS will apply the protection only to the network objects selected in the Syslog relay List pane.The detect mode makes it possible to track input validation attacks without blocking them.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

  1. In the IPS tab, click Protections and find the Syslog PRIORITY Field Enforcement protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Syslog Protocol Violation.
Attack Information:  phpFileManager cmd Parameter Command Execution

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.