syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. This flaw affects syslog-ng versions prior to and including 2.0.9.

The remote host is affected by the vulnerability described in GLSA-200907-10 (Syslog-ng: Chroot escape)

    Florian Grandel reported that Syslog-ng does not call chdir() before     chroot() which leads to an inherited file descriptor to the current     working directory.
  Impact :

    A local attacker might exploit a separate vulnerability in Syslog-ng     and use this vulnerability to escape the chroot jail.
  Workaround :

    There is no known workaround at this time.

Fixes CVE-2008-5110

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Florian Grandel reports :

I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.

This opens up ways to work around the chroot jail.

ID	Name	Product	Family	Severity
39781	GLSA-200907-10 : Syslog-ng: Chroot escape	Nessus	Gentoo Local Security Checks	high
36373	Fedora 10 : syslog-ng-2.0.10-1.fc10 (2008-10879)	Nessus	Fedora Local Security Checks	high
35049	Fedora 8 : syslog-ng-2.0.10-1.fc8 (2008-10920)	Nessus	Fedora Local Security Checks	high
35045	Fedora 9 : syslog-ng-2.0.10-1.fc9 (2008-10752)	Nessus	Fedora Local Security Checks	high
34816	FreeBSD : syslog-ng2 -- startup directory leakage in the chroot environment (75f2382e-b586-11dd-95f9-00e0815b8da8)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2008-5110

high

Tenable Plugins

high

high

high

high

high