Date: Fri, 22 Nov 2002 17:10:54 -0500 From: Barney Wolff <barney@tp.databus.com> To: freebsd-net@freebsd.org Subject: [bugtraq-partner@seculution.de: [OpenBSD] [syslogd] false src-IP when logging to remote syslogd] Message-ID: <20021122221054.GA31045@tp.databus.com>
next in thread | raw e-mail | index | archive | help
Sounds familiar :) The question is whether any of the error codes discussed here would cause syslogd to rebind to the new address. ----- Forwarded message from Torsten Valentin <bugtraq-partner@seculution.de> ----- Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com X-Authentication-Warning: emax.hamcom.de: Host adsl-dyn3-226.heliweb.de [212.37.53.226] claimed to be server1.seculution.de From: "Torsten Valentin" <bugtraq-partner@seculution.de> To: <bugtraq@securityfocus.com> Subject: [OpenBSD] [syslogd] false src-IP when logging to remote syslogd Date: Wed, 20 Nov 2002 16:36:43 +0100 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) X-Scanned-By: MIMEDefang 2.25 (www . roaringpenguin . com / mimedefang) X-MIME-Autoconverted: from quoted-printable to 8bit by tp.databus.com id gAMM36vg031018 OpenBSD's syslogd (Tested on OpenBSD 2.9 - 3.2, i386 only) seems to have a bug that might lead to false information on a remote syslog-server. The problem can be reproduced by changing the machines IP using ifconfig and NOT rebooting the whole machine. Though the machine should not use the old IP anymore, packets from syslogd to the remote syslog-server (514/UDP) originate with the OLD source IP, the OpenBSD machine had before ifconfig. Though this is not a severe security issue which leads into a compromise of the system itself, it is an issue that leads into false information on the remote syslogd server, because the packets seem to originate from an address they are not really coming from. This might for example result in ID-systems reporting alarms from the wrong server or even worse not report alarms at all, depending on the configuration. The people at OpenBSD have been informed about this today via sendbug(1), but the Bug Tracking System seems to be disabled at the moment. T. ------------------------------ Torsten Valentin General Manager SecuLution GmbH Friedenstr. 3b 59199 B?nen Germany E-Mail: info@4ss.de http://www.4ss.de ----- End forwarded message ----- -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021122221054.GA31045>