Check Point Reference: | SBP-2007-02 |
Date Published: | 18 Oct 2006 |
Severity: | High |
Last Updated: | Monday 08 August, 2016 |
Source: | |
Protection Provided by: |
Security Gateway |
Who is Vulnerable? | |
Vulnerability Description | Syslog is a standard for transporting event notification messages over IP networks to event message collectors, or Syslog servers. Syslog is often used for system management and security auditing. Syslog servers, by default, listen on UDP port 514.Also, it is possible to have event message relays, or Syslog relays, that receive messages, and route them to Syslog servers. The full format of a Syslog message consists of three parts: PRIORITY, HEADER, and MSG. According to RFC 3164, the PRI part has one field, which consists of a leading less-than sign (<), a number, and a terminating greater-than sign (>). Syslog messages with malformed PRI fields can be used by attackers to exploit vulnerabilities in Syslog implementations using malformed PRIORITY values. This may lead to a buffer overflow or a denial of service condition. |
This protection will detect and block Syslog messages that have a malformed or missing PRI field.If the "Apply to messages sent from all hosts" option is selected, thenIPS will apply the protection to all Syslog messages.Otherwise, if the "Apply only to messages sent from your designated Syslog relays" option is selected, then IPS will apply the protection only to the network objects selected in the Syslog relay List pane.The detect mode makes it possible to track input validation attacks without blocking them.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:
Attack Name: Syslog Protocol Violation.
Attack Information: phpFileManager cmd Parameter Command Execution