[arch-security] [ASA-201707-23] freeradius: multiple issues

Remi Gacogne rgacogne at archlinux.org
Tue Jul 18 21:36:52 UTC 2017 

Arch Linux Security Advisory ASA-201707-23
==========================================

Severity: Critical
Date    : 2017-07-18
CVE-ID  : CVE-2017-10978 CVE-2017-10983 CVE-2017-10984 CVE-2017-10985
          CVE-2017-10986 CVE-2017-10987
Package : freeradius
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-357

Summary
=======

The package freeradius before version 3.0.15-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution
==========

Upgrade to 3.0.15-1.

# pacman -Syu "freeradius>=3.0.15-1"

The problems have been fixed upstream in version 3.0.15.

Workaround
==========

None.

Description
===========

- CVE-2017-10978 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
make_secret() function does not properly check for output buffer size
before writing data. A remote attacker with the ability to send packets
which are accepted by the server can perform a read or write overflow
of up to 16 octets, causing a denial of service.

- CVE-2017-10983 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode() function performed a strcmp() on binary data in an
internal data structure, instead of checking the length of the option
and doing a memcmp. A remote attacker with the ability to send packets
which are accepted by the server can make the server read its memory
until it reaches a zero byte or crashes, causing a denial of service.

- CVE-2017-10984 (arbitrary code execution)

A security issue has been found in freeradius <= 3.0.15, where the
data2vp_wimax() function checks for WiMAX attributes which are too
small, but it does not check for WiMAX attributes which are too large.
As a result, the server can be convinced to read past the end of an
attribute, and to write past the end of memory allocated via malloc().
A remote attacker with the ability to send packets which are accepted
by the server can cause a write overflow, possibly leading to remote
code execution.

- CVE-2017-10985 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
server could go into an infinite loop and exhaust memory when it
receives zero-length attributes marked 'concat' in the dictionaries.

- CVE-2017-10986 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
dhcp_attr2vp() function, when decoding "string" options in an array,
could be convinced to call memchr() with a length argument of -1. This
could result in an over-read until the first zero octet was found, or a
page fault occurred.

- CVE-2017-10987 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode_suboptions() function does not properly check if sub-
options overflow the packet.

Impact
======

A remote attacker with the ability to send packets which are accepted
by the server can cause a denial of service or execute arbitrary code
on the affected host via a crafted packet.

References
==========

http://freeradius.org/security/fuzzer-2017.html
http://freeradius.org/security/fuzzer-2017.html#FR-GV-201
https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68
https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f
http://freeradius.org/security/fuzzer-2017.html#FR-GV-206
https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d
http://freeradius.org/security/fuzzer-2017.html#FR-GV-301
https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6
http://freeradius.org/security/fuzzer-2017.html#FR-GV-302
https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97
http://freeradius.org/security/fuzzer-2017.html#FR-GV-303
https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c
http://freeradius.org/security/fuzzer-2017.html#FR-GV-304
https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866
https://security.archlinux.org/CVE-2017-10978
https://security.archlinux.org/CVE-2017-10983
https://security.archlinux.org/CVE-2017-10984
https://security.archlinux.org/CVE-2017-10985
https://security.archlinux.org/CVE-2017-10986
https://security.archlinux.org/CVE-2017-10987

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170718/09ecd3e1/attachment.asc>

More information about the arch-security mailing list