A security issue has been reported in FreeRADIUS, which can be exploited by malicious people to cause a DoS (Denial of Service).
The security issue is caused due to a memory leak (ca. 300bytes) within the handling of certain malformed diameter format values inside an EAP-TTLS tunnel. This can be exploited to exhaust all available memory by sending a large number of malformed authentication requests to a vulnerable server.
The security issue is reported in versions prior to 1.1.6.
net-dialup, please advise.
2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit.
We recommend that administrators using EAP-TTLS upgrade immediately.
This bug was found as part of the Coverity Scan project.
freeradius-1.1.6 has been committed.
Arches, please mark it as stable.
mrness: is there a speficic issue for not including ppc and sparc?
i vote for a GLSA since a DoS on FreeRadius is in fact a DoS on the whole system(s) that is under its control.
(In reply to comment #4)
> mrness: is there a speficic issue for not including ppc and sparc?
None of the freeradius versions have stable ppc or sparc keywords.
Arches add keywords, not maintainers.
I vote YES lets have a GLSA on this one. Though we should note that only users using EAP-TTLS seems to be affected.
GLSA 200704-14, thanks p-y and everybody