CVE-2011-1154 in logrotate
Summary
by MITRE
The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/21/2021
The vulnerability identified as CVE-2011-1154 resides within the logrotate utility version 3.7.9 and earlier, specifically within the shred_file function located in the logrotate.c source file. This represents a critical security flaw that enables context-dependent attackers to execute arbitrary commands through the manipulation of shell metacharacters within log filenames. The vulnerability exploits the improper handling of user-supplied input during the automatic construction of filenames based on system identifiers such as hostnames or virtual machine names, creating a dangerous execution path that bypasses normal input validation mechanisms.
The technical flaw stems from insufficient sanitization of log filenames before they are processed by shell commands within the logrotate utility. When logrotate encounters a log file whose name contains shell metacharacters such as semicolons, ampersands, or backticks, these characters are interpreted by the shell during command execution rather than being treated as literal filename characters. This behavior creates a command injection vulnerability where attacker-controlled input can be executed as shell commands, effectively allowing remote code execution within the privileges of the logrotate process. The vulnerability is particularly dangerous because it leverages legitimate system functionality to achieve malicious code execution, making detection and prevention more challenging.
The operational impact of this vulnerability extends beyond simple command execution, as it can enable attackers to gain persistent access to systems through logrotate's privileged execution context. Since logrotate typically runs with elevated privileges to manage system log files, successful exploitation can provide attackers with elevated system access. The vulnerability is particularly concerning in environments where logrotate is configured to automatically process log files from untrusted sources or where system identifiers like hostnames are derived from user input. This creates a scenario where an attacker could manipulate the hostname or virtual machine name to inject malicious shell commands that would execute during the log rotation process.
Mitigation strategies for CVE-2011-1154 should focus on immediate patching of logrotate to versions 3.8.0 and later, which contain the necessary input validation fixes. Organizations should also implement strict input validation for log file names and consider using the --noexec option to test logrotate configurations without actually executing commands. The vulnerability aligns with CWE-78, which describes improper neutralization of special elements used in OS commands, and maps to ATT&CK technique T1059.007 for Unix shell commands and scripts. Additional protective measures include monitoring logrotate execution patterns, implementing file system permissions that restrict log file modifications, and using automated tools to scan for vulnerable logrotate configurations. Organizations should also consider implementing network segmentation to limit the potential impact of successful exploitation and maintain comprehensive audit trails for logrotate activities to detect unauthorized modifications.