Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 554
Alerts This Week
Warning Icon 1 554

Arch Linux: 201508-6 Low: FreeRADIUS Insufficient CRL Validation Risk

Archlinux Large Esm H446
The package freeradius before version 3.0.9-1 is vulnerable to insufficient CRL validation.
Arch Linux Security Advisory ASA-201508-6
========================================
Severity: Low
Date    : 2015-08-14
CVE-ID  : CVE-2015-4680
Package : freeradius
Type    : insufficient CRL validation
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package freeradius before version 3.0.9-1 is vulnerable to
insufficient CRL validation.

Resolution
=========
Upgrade to 3.0.9-1.

# pacman -Syu "freeradius>=3.0.9-1"

The problem has been fixed upstream in version 3.0.9 and 2.2.8.

Workaround
=========
The FreeRADIUS project advises to use self-signed CAs without
intermediate CAs for EAP-TLS, as only intermediate CAs are apparently
vulnerable to this issue.

Description
==========
The FreeRADIUS server relies on OpenSSL to perform certificate
validation, including Certificate Revocation List (CRL) checks. The
FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to
leaf certificates, therefore not detecting revocation of intermediate CA
certificates.
An unexpired client certificate, issued by an intermediate CA with a
revoked certificate, is therefore accepted by FreeRADIUS.

Impact
=====
A remote attacker might be able to authenticate using a certificate
signed by a revoked intermediate CA.

References
=========
https://www-fr.freeradius.org/security/
http://ocert.org/advisories/ocert-2015-008.html
https://access.redhat.com/security/cve/CVE-2015-4680