Listen to this Post
The vulnerability exists due to improper validation of calculated offsets within the Syslog input parser and the Dissect processor in Libbeat, a library used by Filebeat. In the Syslog parser, a malformed message containing a crafted `msgid` field can cause the parser to calculate an incorrect length value. When copying data, this length is not properly checked against the destination buffer’s actual size, leading to an out-of-bounds write. Similarly, the Dissect processor fails to validate token lengths specified in a malicious dissect pattern. When processing data with this pattern, it uses an unvalidated user-supplied value to determine how many bytes to copy, resulting in a buffer overflow. Both scenarios trigger a panic in the Go runtime, causing the Filebeat process to crash and result in a denial-of-service condition.
Platform: Elastic Filebeat
Version: 7.17.1 / 8.1.1
Vulnerability: Buffer Overflow
Severity: Critical
date: 2022-05-05
Prediction: 2022-06-01
What Undercode Say:
Example malformed Syslog message triggering the bug
echo '<10>1 - - - - - A very long msgid field designed to overflow' | nc -u localhost 5140
Example malicious dissect pattern for testing
processor:
dissect:
tokenizer: "%{VeryLongField}"
field: "message"
Command to restart Filebeat after patch
sudo systemctl restart filebeat
How Exploit:
Attackers send crafted Syslog messages with manipulated `msgid` length or configure malicious dissect patterns in Logstash/Filebeat, causing process crash and data loss.
Protection from this CVE:
Update to Filebeat versions 7.17.2, 8.1.2, or later. Sanitize external log inputs.
Impact:
Denial of Service (process crash), disruption of log ingestion pipeline.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

