CVE-2011-1155 in logrotate
Summary
by MITRE
The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) \n (newline) or (2) \ (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/21/2021
The vulnerability identified as CVE-2011-1155 represents a critical denial of service weakness in the logrotate utility version 3.7.9 and earlier, specifically within the writeState function of the logrotate.c source file. This flaw stems from inadequate input validation and sanitization of log filenames, creating a scenario where context-dependent attackers can deliberately trigger system instability through carefully crafted filename characters. The vulnerability manifests when logrotate encounters log filenames containing newline or backslash characters, which are not properly escaped or handled during the rotation process, leading to operational disruption.
The technical implementation of this vulnerability exploits the fundamental parsing logic within logrotate's state writing mechanism. When the writeState function processes log filenames, it fails to adequately sanitize or escape special characters including the newline character and backslash character that are commonly found in dynamically generated filenames. These characters, when present in log filenames constructed from hostnames or virtual machine names, can cause the rotation process to fail catastrophically. The vulnerability is particularly dangerous because it operates at the system level where log management is critical for security monitoring and incident response, making the denial of service impact severe and potentially disruptive to security operations.
The operational impact of this vulnerability extends beyond simple service interruption to encompass broader security implications within system administration and monitoring frameworks. When logrotate fails due to malformed filenames, it creates gaps in log rotation processes that can lead to disk space exhaustion, loss of critical security audit trails, and potential compliance violations. The vulnerability is especially concerning in environments where automated systems generate log filenames based on dynamic hostnames or virtual machine identifiers, as these systems are common in cloud deployments, containerized environments, and large-scale enterprise infrastructures where log management is automated and critical for security operations.
This vulnerability maps directly to CWE-174, which describes the weakness of insufficient control of a resource through a Unicode normalization, and CWE-77, which addresses the weakness of command injection. The attack pattern aligns with ATT&CK technique T1485, which involves data destruction, and T1070, which covers indicator removal on host. Organizations affected by this vulnerability should implement immediate mitigations including updating to logrotate version 3.7.10 or later, which contains the necessary patches to properly handle special characters in filenames. Additionally, administrators should review and sanitize log filename generation processes to prevent the introduction of problematic characters, implement proper input validation at the point of filename creation, and establish monitoring for unusual log rotation failures that might indicate exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization in system utilities and the potential for seemingly minor parsing flaws to create significant operational disruptions in security infrastructure components.