Arch Linux Security Advisory ASA-201508-6 ========================================= Severity: Low Date : 2015-08-14 CVE-ID : CVE-2015-4680 Package : freeradius Type : insufficient CRL validation Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package freeradius before version 3.0.9-1 is vulnerable to insufficient CRL validation. Resolution ========== Upgrade to 3.0.9-1. # pacman -Syu "freeradius>=3.0.9-1" The problem has been fixed upstream in version 3.0.9 and 2.2.8. Workaround ========== The FreeRADIUS project advises to use self-signed CAs without intermediate CAs for EAP-TLS, as only intermediate CAs are apparently vulnerable to this issue. Description =========== The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List (CRL) checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA certificates. An unexpired client certificate, issued by an intermediate CA with a revoked certificate, is therefore accepted by FreeRADIUS. Impact ====== A remote attacker might be able to authenticate using a certificate signed by a revoked intermediate CA. References ========== http://freeradius.org/security.html http://www.ocert.org/advisories/ocert-2015-008.html https://access.redhat.com/security/cve/CVE-2015-4680