-
Title
Central List of Documented CVE’s for Syslog-ng Store Box -
Description
This knowledge article is based on customer queries and it is not the full list of Syslog-ng Store Box (SSB) vulnerabilities and exposures.
-
Cause
A penetration test has found possible vulnerabilities in the SSB appliance.
-
Resolution
Vulnerabilities and exposures
Number Description Affected versions Resolution CVE-2016-10708 sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service LTS SSB 5.0.x, FR Upgrade to SSB 6 LTS (OpenSSH version 7.6p1) CVE-2017-15906 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in read-only mode LTS SSB 5.0.x, FR Upgrade to SSB 6 LTS (OpenSSH version 7.6p1) Known as “SACK Panic,” is an integer overflow vulnerability that can be triggered by a remote attacker sending a sequence of TCP Selective ACKnowledgements (SACKs) to a vulnerable system ALL https://support.oneidentity.com/kb/298990 CVE-2019-11478 It is an excess resource consumption vulnerability that can be triggered by a remote attacker sending a sequence of SACKs to a vulnerable system, resulting in the fragmentation of the TCP retransmission queue ALL https://support.oneidentity.com/kb/298990 CVE-2013-4786 The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks. Only hardware appliances MBX T1, T4 and T10
The IPMI interface has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends the followings.
- Connect the IPMI interface to well-protected, separated management networks with restricted accessibility.
- Use strong passwords, at least 16 characters long with a mixture of upper and lowercase letters, numbers, and special characters.CVE-2013-4037 The RAKP protocol support in the IPMI implementation sends a password hash to the client, which makes it easier for remote attackers to obtain access via a brute-force attack. Only hardware appliances MBX T1, T4 and T10 The IPMI interface has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends the followings.
- Connect the IPMI interface to well-protected, separated management networks with restricted accessibility.
- Use strong passwords, at least 16 characters long with a mixture of upper and lowercase letters, numbers, and special characters.Other high-risk vulnerabilities
Outdated version of OpenSSH, OpenSSL
- Every SSB release includes security fixes, the full list can be be found in the release notes.
Make sure that you are on the latest version of your branch (LTS or Feature). - SSB Feature release has a more recent version of the affected applications, upgrade to LTS branch if you can.
Note: Feature branch currently does not support SQL source and SNMP destination. More information here: LTS vs. Feature branch
List of CVEs not affecting SSB
Number Description Reason for not being affected CVE-2015-3200 mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication mod_auth module is unused in lighttpd on SSB CVE-2018-19052 An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. mod_alias module is unused in lighttpd on SSB CVE-2018-10933 A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. libssh is unused in SSB CVE-2019-5599 A bug in the non-default RACK TCP stack can allow an attacker to cause several linked lists to grow unbounded and cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service Only FreeBSD is affected CVE-2019-1552 OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. Windows builds with insecure path defaults. Only Windows is affected - Every SSB release includes security fixes, the full list can be be found in the release notes.
-
Additional Information
More details about CVEs can be found at https://cve.mitre.org/
To get more information about a not listed CVE open a support case.