mailing list archives
ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability
From: robkraus () solutionary com
Date: Fri, 10 Dec 2010 07:06:14 -0700
Title: ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability
Risk (CVSS2 Base Score): High (7.8)
Solutionary ID: SERT-VDN-1000
CVE ID: Pending
Solutionary Disclosure URL:
Product: ManageEngine EventLog Analyzer version 6.1
Application Vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/
Date discovered: 9/15/2010
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT)
Vendor notification date: 10/26/2010
Vendor response date: 11/12/2010
Vendor acknowledgment date: 12/2/2010
Vendor provided fix: No fix provided
Release coordinated with the vendor: N/A
Public disclosure date: 12/10/2010
Type of vulnerability: Denial of Service, Buffer Overflow
Exploit Vectors: Local and Remote
Vulnerability Description: The application is vulnerable to a Denial of Service (DoS) condition due to a buffer
overflow encountered when an attacker sends a specially crafted UDP packet to either port 514/UDP or port 513/UDP of
the Syslog server. The DoS condition is experienced as a result of sending a large amount of data in the Syslog PRI
message header field. The length of data sent to the field causes the application to stop responding and terminates the
SysEvttCol.exe process on the affected target.
Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default installation.
Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous versions may also be vulnerable)
Impact: Successful exploitation of the described vulnerability will cause a DoS to legitimate users and applications.
The DoS condition will result in the loss of centralized Syslog message collection, and may reduce the detection
capability of the affected organization for identifying follow-on attacks and monitoring critical system messages.
Additionally, a skilled attacker may be able to leverage the buffer overflow condition to execute arbitrary commands in
the context of the account the application is running as.
Fixed in: No fix currently available.
Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary
recommends upgrading the application if patches are provided to address the issue identified. Limit access to only
those systems requiring interaction with the service to reduce available attack vectors.
Keywords: security, vulnerability, ManageEngine, syslog, dos, event, log
Solutionary, Inc. Vulnerability Disclosure Policy
- ManageEngine EventLog Analyzer Syslog Remote Denial of Service Vulnerability robkraus (Dec 10)