Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 174292

Summary: net-dialup/freeradius < 1.1.6 Denial of Service (CVE-2007-2028)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mrness, net-dialup
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/24849/
Whiteboard: B3 [glsa] p-y
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-12 15:46:16 UTC
A security issue has been reported in FreeRADIUS, which can be exploited by malicious people to cause a DoS (Denial of Service).

The security issue is caused due to a memory leak (ca. 300bytes) within the handling of certain malformed diameter format values inside an EAP-TTLS tunnel. This can be exploited to exhaust all available memory by sending a large number of malformed authentication requests to a vulnerable server.

The security issue is reported in versions prior to 1.1.6.

net-dialup, please advise.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-12 15:46:57 UTC
setting status.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-12 16:32:42 UTC
http://www.freeradius.org/security.html

2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit. 
 We recommend that administrators using EAP-TTLS upgrade immediately. 
 This bug was found as part of the Coverity Scan project.
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2007-04-12 18:50:46 UTC
freeradius-1.1.6 has been committed.
Arches, please mark it as stable.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-04-12 18:58:33 UTC
mrness: is there a speficic issue for not including ppc and sparc?
Comment 5 Peter Weller (RETIRED) gentoo-dev 2007-04-12 19:21:07 UTC
amd64 done
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-04-12 20:21:12 UTC
x86 stable
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-12 20:32:48 UTC
i vote for a GLSA since a DoS on FreeRadius is in fact a DoS on the whole system(s) that is under its control.
Comment 8 Alin Năstac (RETIRED) gentoo-dev 2007-04-12 21:03:25 UTC
(In reply to comment #4)
> mrness: is there a speficic issue for not including ppc and sparc?

None of the freeradius versions have stable ppc or sparc keywords.
Arches add keywords, not maintainers.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-13 07:08:45 UTC
I vote YES lets have a GLSA on this one. Though we should note that only users using EAP-TTLS seems to be affected.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-17 22:49:50 UTC
GLSA 200704-14, thanks p-y and everybody