Arch Linux Security Advisory ASA-201707-23
=========================================
Severity: Critical
Date    : 2017-07-18
CVE-ID  : CVE-2017-10978 CVE-2017-10983 CVE-2017-10984 CVE-2017-10985
          CVE-2017-10986 CVE-2017-10987
Package : freeradius
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-357

Summary
======
The package freeradius before version 3.0.15-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution
=========
Upgrade to 3.0.15-1.

# pacman -Syu "freeradius>=3.0.15-1"

The problems have been fixed upstream in version 3.0.15.

Workaround
=========
None.

Description
==========
- CVE-2017-10978 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
make_secret() function does not properly check for output buffer size
before writing data. A remote attacker with the ability to send packets
which are accepted by the server can perform a read or write overflow
of up to 16 octets, causing a denial of service.

- CVE-2017-10983 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode() function performed a strcmp() on binary data in an
internal data structure, instead of checking the length of the option
and doing a memcmp. A remote attacker with the ability to send packets
which are accepted by the server can make the server read its memory
until it reaches a zero byte or crashes, causing a denial of service.

- CVE-2017-10984 (arbitrary code execution)

A security issue has been found in freeradius <= 3.0.15, where the
data2vp_wimax() function checks for WiMAX attributes which are too
small, but it does not check for WiMAX attributes which are too large.
As a result, the server can be convinced to read past the end of an
attribute, and to write past the end of memory allocated via malloc().
A remote attacker with the ability to send packets which are accepted
by the server can cause a write overflow, possibly leading to remote
code execution.

- CVE-2017-10985 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
server could go into an infinite loop and exhaust memory when it
receives zero-length attributes marked 'concat' in the dictionaries.

- CVE-2017-10986 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
dhcp_attr2vp() function, when decoding "string" options in an array,
could be convinced to call memchr() with a length argument of -1. This
could result in an over-read until the first zero octet was found, or a
page fault occurred.

- CVE-2017-10987 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode_suboptions() function does not properly check if sub-options overflow the packet.

Impact
=====
A remote attacker with the ability to send packets which are accepted
by the server can cause a denial of service or execute arbitrary code
on the affected host via a crafted packet.

References
=========
http://freeradius.org/security/fuzzer-2017.html
http://freeradius.org/security/fuzzer-2017.html#FR-GV-201
https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68
https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f
http://freeradius.org/security/fuzzer-2017.html#FR-GV-206
https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d
http://freeradius.org/security/fuzzer-2017.html#FR-GV-301
https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6
http://freeradius.org/security/fuzzer-2017.html#FR-GV-302
https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97
http://freeradius.org/security/fuzzer-2017.html#FR-GV-303
https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c
http://freeradius.org/security/fuzzer-2017.html#FR-GV-304
https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866
https://security.archlinux.org/CVE-2017-10978
https://security.archlinux.org/CVE-2017-10983
https://security.archlinux.org/CVE-2017-10984
https://security.archlinux.org/CVE-2017-10985
https://security.archlinux.org/CVE-2017-10986
https://security.archlinux.org/CVE-2017-10987

ArchLinux: 201707-23: freeradius: multiple issues

July 18, 2017

Summary

- CVE-2017-10978 (denial of service) A security issue has been found in freeradius <= 3.0.15, where the make_secret() function does not properly check for output buffer size before writing data. A remote attacker with the ability to send packets which are accepted by the server can perform a read or write overflow of up to 16 octets, causing a denial of service.
- CVE-2017-10983 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the fr_dhcp_decode() function performed a strcmp() on binary data in an internal data structure, instead of checking the length of the option and doing a memcmp. A remote attacker with the ability to send packets which are accepted by the server can make the server read its memory until it reaches a zero byte or crashes, causing a denial of service.
- CVE-2017-10984 (arbitrary code execution)
A security issue has been found in freeradius <= 3.0.15, where the data2vp_wimax() function checks for WiMAX attributes which are too small, but it does not check for WiMAX attributes which are too large. As a result, the server can be convinced to read past the end of an attribute, and to write past the end of memory allocated via malloc(). A remote attacker with the ability to send packets which are accepted by the server can cause a write overflow, possibly leading to remote code execution.
- CVE-2017-10985 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the server could go into an infinite loop and exhaust memory when it receives zero-length attributes marked 'concat' in the dictionaries.
- CVE-2017-10986 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the dhcp_attr2vp() function, when decoding "string" options in an array, could be convinced to call memchr() with a length argument of -1. This could result in an over-read until the first zero octet was found, or a page fault occurred.
- CVE-2017-10987 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the fr_dhcp_decode_suboptions() function does not properly check if sub-options overflow the packet.

Resolution

Upgrade to 3.0.15-1. # pacman -Syu "freeradius>=3.0.15-1"
The problems have been fixed upstream in version 3.0.15.

References

http://freeradius.org/security/fuzzer-2017.html http://freeradius.org/security/fuzzer-2017.html#FR-GV-201 https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68 https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d http://freeradius.org/security/fuzzer-2017.html#FR-GV-301 https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 https://security.archlinux.org/CVE-2017-10978 https://security.archlinux.org/CVE-2017-10983 https://security.archlinux.org/CVE-2017-10984 https://security.archlinux.org/CVE-2017-10985 https://security.archlinux.org/CVE-2017-10986 https://security.archlinux.org/CVE-2017-10987

Severity
CVE-2017-10986 CVE-2017-10987
Package : freeradius
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-357

Workaround

None.

Related News

22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved