Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 127229

Summary: net-dialup/freeradius: validation issue in EAP-MSCHAPv2 module (CVE-2006-1354)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: mrness
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa] vorlon
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-22 13:44:59 UTC
v1.0.5, and v1.1.0 
A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. We recommend that administrators upgrade immediately.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-22 13:55:13 UTC
mrness, pls provide an updated ebuild
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2006-03-23 01:05:14 UTC
I would love to, but freeradius-1.1.1 is uncompilable (compilation breaks at rlm_eap module). 
I've managed to fix some problems, but I still have 2 more left on this module: linker fails to find radius_xlat and log_debug symbols. It's kinda strange those functions are used here, since they are defined in radiusd daemon not the radius library.

Seems it will take awhile.
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2006-03-23 02:12:28 UTC
I've reported the rlm_eap compilation problems to upstream (see
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-30 14:30:38 UTC
any progress on this one?
Comment 5 Alin Năstac (RETIRED) gentoo-dev 2006-03-30 20:51:47 UTC
Yes, I've spoked with upstream on

It could be build if I would not patch the rlm_eap  makefile at all and drop --disable-static from .configure command line.
I don't like this, but is the only way. I will bump it today.
Comment 6 Alin Năstac (RETIRED) gentoo-dev 2006-03-31 04:33:33 UTC
the new version has been commited, with the same keywords as the 1.1.0-r1 (I've tested myself on x86 and amd64).

sorry for the delay, but this bump was horrible. I'm still not perfectly happy with the results because I had to remove --disable-static from configure cmd line in order to make it work.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-31 05:48:55 UTC
Thx Alin, this one is ready for GLSA decision. I tend to vote YES.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-03-31 05:51:03 UTC
vote Yes, sure.
Comment 9 Alin Năstac (RETIRED) gentoo-dev 2006-03-31 06:18:26 UTC
Do not forget that the old version isn't vulnerable to DoS attacks on Gentoo. 
The init script use radwatch script, which restart radiusd daemon if it dies.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-31 06:22:19 UTC
The important part for me here is "A malicious attacker could
manipulate their EAP-MSCHAPv2 client state machine to potentially convince the
server to bypass authentication checks."
Comment 11 Alin Năstac (RETIRED) gentoo-dev 2006-03-31 06:27:59 UTC
I'm only saying this for keeping "DoS" word out from the GLSA.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-31 15:10:59 UTC
0.5 vote for a glsa
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-04-01 02:41:41 UTC
Given the scope of freeradius use, I vote yes.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2006-04-04 12:19:46 UTC
GLSA 200604-03

thanks everyone