[arch-security] [ASA-201508-6] freeradius: insufficient CRL validation

Remi Gacogne rgacogne at archlinux.org
Fri Aug 14 09:27:13 UTC 2015


Arch Linux Security Advisory ASA-201508-6
=========================================

Severity: Low
Date    : 2015-08-14
CVE-ID  : CVE-2015-4680
Package : freeradius
Type    : insufficient CRL validation
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package freeradius before version 3.0.9-1 is vulnerable to
insufficient CRL validation.

Resolution
==========

Upgrade to 3.0.9-1.

# pacman -Syu "freeradius>=3.0.9-1"

The problem has been fixed upstream in version 3.0.9 and 2.2.8.

Workaround
==========

The FreeRADIUS project advises to use self-signed CAs without
intermediate CAs for EAP-TLS, as only intermediate CAs are apparently
vulnerable to this issue.

Description
===========

The FreeRADIUS server relies on OpenSSL to perform certificate
validation, including Certificate Revocation List (CRL) checks. The
FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to
leaf certificates, therefore not detecting revocation of intermediate CA
certificates.
An unexpired client certificate, issued by an intermediate CA with a
revoked certificate, is therefore accepted by FreeRADIUS.

Impact
======

A remote attacker might be able to authenticate using a certificate
signed by a revoked intermediate CA.

References
==========

http://freeradius.org/security.html
http://www.ocert.org/advisories/ocert-2015-008.html
https://access.redhat.com/security/cve/CVE-2015-4680

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150814/c0d67522/attachment.asc>


More information about the arch-security mailing list