ArchLinux: 201707-23: freeradius: multiple issues
Summary
- CVE-2017-10978 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the
make_secret() function does not properly check for output buffer size
before writing data. A remote attacker with the ability to send packets
which are accepted by the server can perform a read or write overflow
of up to 16 octets, causing a denial of service.
- CVE-2017-10983 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode() function performed a strcmp() on binary data in an
internal data structure, instead of checking the length of the option
and doing a memcmp. A remote attacker with the ability to send packets
which are accepted by the server can make the server read its memory
until it reaches a zero byte or crashes, causing a denial of service.
- CVE-2017-10984 (arbitrary code execution)
A security issue has been found in freeradius <= 3.0.15, where the
data2vp_wimax() function checks for WiMAX attributes which are too
small, but it does not check for WiMAX attributes which are too large.
As a result, the server can be convinced to read past the end of an
attribute, and to write past the end of memory allocated via malloc().
A remote attacker with the ability to send packets which are accepted
by the server can cause a write overflow, possibly leading to remote
code execution.
- CVE-2017-10985 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the
server could go into an infinite loop and exhaust memory when it
receives zero-length attributes marked 'concat' in the dictionaries.
- CVE-2017-10986 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the
dhcp_attr2vp() function, when decoding "string" options in an array,
could be convinced to call memchr() with a length argument of -1. This
could result in an over-read until the first zero octet was found, or a
page fault occurred.
- CVE-2017-10987 (denial of service)
A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode_suboptions() function does not properly check if sub-options overflow the packet.
Resolution
Upgrade to 3.0.15-1.
# pacman -Syu "freeradius>=3.0.15-1"
The problems have been fixed upstream in version 3.0.15.
References
http://freeradius.org/security/fuzzer-2017.html http://freeradius.org/security/fuzzer-2017.html#FR-GV-201 https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68 https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d http://freeradius.org/security/fuzzer-2017.html#FR-GV-301 https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 https://security.archlinux.org/CVE-2017-10978 https://security.archlinux.org/CVE-2017-10983 https://security.archlinux.org/CVE-2017-10984 https://security.archlinux.org/CVE-2017-10985 https://security.archlinux.org/CVE-2017-10986 https://security.archlinux.org/CVE-2017-10987
Workaround
None.