[arch-security] [ASA-201508-6] freeradius: insufficient CRL validation
rgacogne at archlinux.org
Fri Aug 14 09:27:13 UTC 2015
Arch Linux Security Advisory ASA-201508-6
Date : 2015-08-14
CVE-ID : CVE-2015-4680
Package : freeradius
Type : insufficient CRL validation
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package freeradius before version 3.0.9-1 is vulnerable to
insufficient CRL validation.
Upgrade to 3.0.9-1.
# pacman -Syu "freeradius>=3.0.9-1"
The problem has been fixed upstream in version 3.0.9 and 2.2.8.
The FreeRADIUS project advises to use self-signed CAs without
intermediate CAs for EAP-TLS, as only intermediate CAs are apparently
vulnerable to this issue.
The FreeRADIUS server relies on OpenSSL to perform certificate
validation, including Certificate Revocation List (CRL) checks. The
FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to
leaf certificates, therefore not detecting revocation of intermediate CA
An unexpired client certificate, issued by an intermediate CA with a
revoked certificate, is therefore accepted by FreeRADIUS.
A remote attacker might be able to authenticate using a certificate
signed by a revoked intermediate CA.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security