|Summary:||net-dialup/freeradius < 1.1.6 Denial of Service (CVE-2007-2028)|
|Product:||Gentoo Security||Reporter:||Pierre-Yves Rofes (RETIRED) <py>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa] p-y|
|Package list:||Runtime testing required:||---|
Description Pierre-Yves Rofes (RETIRED) 2007-04-12 15:46:16 UTC
A security issue has been reported in FreeRADIUS, which can be exploited by malicious people to cause a DoS (Denial of Service). The security issue is caused due to a memory leak (ca. 300bytes) within the handling of certain malformed diameter format values inside an EAP-TTLS tunnel. This can be exploited to exhaust all available memory by sending a large number of malformed authentication requests to a vulnerable server. The security issue is reported in versions prior to 1.1.6. net-dialup, please advise.
Comment 1 Pierre-Yves Rofes (RETIRED) 2007-04-12 15:46:57 UTC
Comment 2 Sune Kloppenborg Jeppesen 2007-04-12 16:32:42 UTC
http://www.freeradius.org/security.html 2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit. We recommend that administrators using EAP-TTLS upgrade immediately. This bug was found as part of the Coverity Scan project.
Comment 3 Alin Năstac (RETIRED) 2007-04-12 18:50:46 UTC
freeradius-1.1.6 has been committed. Arches, please mark it as stable.
Comment 4 Pierre-Yves Rofes (RETIRED) 2007-04-12 18:58:33 UTC
mrness: is there a speficic issue for not including ppc and sparc?
Comment 5 Peter Weller (RETIRED) 2007-04-12 19:21:07 UTC
Comment 6 Christian Faulhammer (RETIRED) 2007-04-12 20:21:12 UTC
Comment 7 Raphael Marichez (Falco) (RETIRED) 2007-04-12 20:32:48 UTC
i vote for a GLSA since a DoS on FreeRadius is in fact a DoS on the whole system(s) that is under its control.
Comment 8 Alin Năstac (RETIRED) 2007-04-12 21:03:25 UTC
(In reply to comment #4) > mrness: is there a speficic issue for not including ppc and sparc? None of the freeradius versions have stable ppc or sparc keywords. Arches add keywords, not maintainers.
Comment 9 Sune Kloppenborg Jeppesen 2007-04-13 07:08:45 UTC
I vote YES lets have a GLSA on this one. Though we should note that only users using EAP-TTLS seems to be affected.
Comment 10 Raphael Marichez (Falco) (RETIRED) 2007-04-17 22:49:50 UTC
GLSA 200704-14, thanks p-y and everybody