127229 – net-dialup/freeradius: validation issue in EAP-MSCHAPv2 module (CVE-2006-1354)

Bug 127229 - net-dialup/freeradius: validation issue in EAP-MSCHAPv2 module (CVE-2006-1354)

Summary: net-dialup/freeradius: validation issue in EAP-MSCHAPv2 module (CVE-2006-1354)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.freeradius.org/security.html
Whiteboard:	B3 [glsa] vorlon
Keywords:

Depends on:
Blocks:

Reported:	2006-03-22 13:44 UTC by Matthias Geerdsen (RETIRED)
Modified:	2006-04-04 12:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-22 13:44:59 UTC

2006.03.20
v1.0.5, and v1.1.0 
A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. We recommend that administrators upgrade immediately.

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-22 13:55:13 UTC

mrness, pls provide an updated ebuild

Comment 2 Alin Năstac (RETIRED) gentoo-dev

2006-03-23 01:05:14 UTC

I would love to, but freeradius-1.1.1 is uncompilable (compilation breaks at rlm_eap module). 
I've managed to fix some problems, but I still have 2 more left on this module: linker fails to find radius_xlat and log_debug symbols. It's kinda strange those functions are used here, since they are defined in radiusd daemon not the radius library.

Seems it will take awhile.

Comment 3 Alin Năstac (RETIRED) gentoo-dev

2006-03-23 02:12:28 UTC

I've reported the rlm_eap compilation problems to upstream (see http://bugs.freeradius.org/show_bug.cgi?id=350).

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-30 14:30:38 UTC

any progress on this one?

Comment 5 Alin Năstac (RETIRED) gentoo-dev

2006-03-30 20:51:47 UTC

Yes, I've spoked with upstream on freeradius-devel@lists.freeradius.org.

It could be build if I would not patch the rlm_eap  makefile at all and drop --disable-static from .configure command line.
I don't like this, but is the only way. I will bump it today.

Comment 6 Alin Năstac (RETIRED) gentoo-dev

2006-03-31 04:33:33 UTC

the new version has been commited, with the same keywords as the 1.1.0-r1 (I've tested myself on x86 and amd64).

sorry for the delay, but this bump was horrible. I'm still not perfectly happy with the results because I had to remove --disable-static from configure cmd line in order to make it work.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-03-31 05:48:55 UTC

Thx Alin, this one is ready for GLSA decision. I tend to vote YES.

Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-03-31 05:51:03 UTC

vote Yes, sure.

Comment 9 Alin Năstac (RETIRED) gentoo-dev

2006-03-31 06:18:26 UTC

Do not forget that the old version isn't vulnerable to DoS attacks on Gentoo. 
The init script use radwatch script, which restart radiusd daemon if it dies.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-03-31 06:22:19 UTC

The important part for me here is "A malicious attacker could
manipulate their EAP-MSCHAPv2 client state machine to potentially convince the
server to bypass authentication checks."

Comment 11 Alin Năstac (RETIRED) gentoo-dev

2006-03-31 06:27:59 UTC

I'm only saying this for keeping "DoS" word out from the GLSA.

Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-31 15:10:59 UTC

0.5 vote for a glsa

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2006-04-01 02:41:41 UTC

Given the scope of freeradius use, I vote yes.

Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev

2006-04-04 12:19:46 UTC

GLSA 200604-03

thanks everyone