|Summary:||net-dialup/freeradius: validation issue in EAP-MSCHAPv2 module (CVE-2006-1354)|
|Product:||Gentoo Security||Reporter:||Matthias Geerdsen (RETIRED) <vorlon>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa] vorlon|
|Package list:||Runtime testing required:||---|
Description Matthias Geerdsen (RETIRED) 2006-03-22 13:44:59 UTC
2006.03.20 v1.0.5, and v1.1.0 A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. We recommend that administrators upgrade immediately.
Comment 1 Matthias Geerdsen (RETIRED) 2006-03-22 13:55:13 UTC
mrness, pls provide an updated ebuild
Comment 2 Alin Năstac (RETIRED) 2006-03-23 01:05:14 UTC
I would love to, but freeradius-1.1.1 is uncompilable (compilation breaks at rlm_eap module). I've managed to fix some problems, but I still have 2 more left on this module: linker fails to find radius_xlat and log_debug symbols. It's kinda strange those functions are used here, since they are defined in radiusd daemon not the radius library. Seems it will take awhile.
Comment 3 Alin Năstac (RETIRED) 2006-03-23 02:12:28 UTC
I've reported the rlm_eap compilation problems to upstream (see http://bugs.freeradius.org/show_bug.cgi?id=350).
Comment 4 Matthias Geerdsen (RETIRED) 2006-03-30 14:30:38 UTC
any progress on this one?
Comment 5 Alin Năstac (RETIRED) 2006-03-30 20:51:47 UTC
Yes, I've spoked with upstream on email@example.com. It could be build if I would not patch the rlm_eap makefile at all and drop --disable-static from .configure command line. I don't like this, but is the only way. I will bump it today.
Comment 6 Alin Năstac (RETIRED) 2006-03-31 04:33:33 UTC
the new version has been commited, with the same keywords as the 1.1.0-r1 (I've tested myself on x86 and amd64). sorry for the delay, but this bump was horrible. I'm still not perfectly happy with the results because I had to remove --disable-static from configure cmd line in order to make it work.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2006-03-31 05:48:55 UTC
Thx Alin, this one is ready for GLSA decision. I tend to vote YES.
Comment 8 Raphael Marichez (Falco) (RETIRED) 2006-03-31 05:51:03 UTC
vote Yes, sure.
Comment 9 Alin Năstac (RETIRED) 2006-03-31 06:18:26 UTC
Do not forget that the old version isn't vulnerable to DoS attacks on Gentoo. The init script use radwatch script, which restart radiusd daemon if it dies.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2006-03-31 06:22:19 UTC
The important part for me here is "A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks."
Comment 11 Alin Năstac (RETIRED) 2006-03-31 06:27:59 UTC
I'm only saying this for keeping "DoS" word out from the GLSA.
Comment 12 Matthias Geerdsen (RETIRED) 2006-03-31 15:10:59 UTC
0.5 vote for a glsa
Comment 13 Thierry Carrez (RETIRED) 2006-04-01 02:41:41 UTC
Given the scope of freeradius use, I vote yes.
Comment 14 Matthias Geerdsen (RETIRED) 2006-04-04 12:19:46 UTC
GLSA 200604-03 thanks everyone