syslog-ng TLS Wildcard Matching Vulnerability Allowing Improper Certificate Validation

A vulnerability exists in syslog-ng versions prior to 4.8.2, where the function 'tls_wildcard_match()' incorrectly accepts wildcards in certificate names. It allows wildcards to match more broadly than intended, such as 'foo.*.bar', and accepts partial wildcards like 'foo.a*c.bar', which could lead to man-in-the-middle attacks by falsely validating certificates. This issue impacts TLS connections by allowing the creation of fake certificates that could be accepted as valid, potentially leading to interception or alteration of communications.

Impact

The vulnerability could disrupt TLS connections, creating opportunities for man-in-the-middle attacks.

Reproduction

The vulnerability can be reproduced by configuring syslog-ng to use a wildcard certificate name that includes partial wildcards or matches too loosely. This can be done by specifying a certificate name pattern that 'tls_wildcard_match()' will incorrectly validate, such as 'foo.*.bar' or 'foo.a*c.bar'.

Remediation

Users can upgrade to syslog-ng version 4.8.2 or later, where this vulnerability has been fixed.