Enterasys NetSight nssyslogd PRI Remote Code Execution Vulnerability (ZDI-11-350)

Vulnerability Key Information Title: Enterasys NetSight nssyslogd PRI Remote Code Execution Vulnerability ID: - ZDI-11-350 - ZDI-CAN-1099 CVE ID: Not provided CVSS Score: 10.0, AV:N/AC:L/Au:N/C:C/I:C/A:C Affected Vendor: Enterasys Affected Product: NetSight Trend Micro Customer Protection: Trend Micro TippingPoint IPS customers are protected via Digital Vaccine filter ID ['11871']. More information: http://www.tippingpoint.com Vulnerability Details: - This vulnerability allows remote attackers to execute arbitrary code on vulnerable Enterasys NetSight installations. Exploitation does not require authentication. - The vulnerability resides in the nssyslogd.exe component, which by default listens on UDP port 514. When parsing new syslog messages, the process attempts to copy the PRI field into an intermediate variable. The process does not properly validate the size of the target buffer and blindly copies user-supplied data into a fixed-length buffer on the stack. Remote attackers can exploit this vulnerability to execute arbitrary code in the context of the SYSTEM user. Additional Details: Enterasys has released an update to fix this vulnerability. More details: https://cp-enterasys.kb.net/article.aspx?article=14206&p=1 Disclosure Timeline: - 2011-04-27 - Vulnerability reported to vendor - 2011-12-19 - Coordinated security advisory released Credit: - Jeremy Brown - Andrea Micalizzi (aka rgod)

Goal Reached Thanks to every supporter — we hit 100%!

Enterasys NetSight nssyslogd PRI Remote Code Execution Vulnerability (ZDI-11-350)