SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   FreeRADIUS Vendors:   FreeRADIUS Server Project
(Red Hat Issues Fix for RH Enterprise Linux) FreeRADIUS String Tag Negative Integer Overflow Lets Remote Users Crash the Service
SecurityTracker Alert ID:  1008437
SecurityTracker URL:  http://securitytracker.com/id/1008437
CVE Reference:   CVE-2003-0967   (Links to External Site)
Date:  Dec 10 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.9.3
Description:   A vulnerability was reported FreeRADIUS. A remote user may be able to cause the RADIUS service to crash.

It is reported that a remote user with a permitted RADIUS client IP address (or forged address) can submit a specially crafted RADIUS packet to potentially cause the target FreeRADIUS service to crash. A 'tag' of type 'string' that is 2 - 3 octets in length may cause the target server to issue a memcpy() call with a negative length argument (lenght of '-1'), the report said. As a result, some of the RADIUS packet contents will overwrite portions of the heap.

It is also reported that a remote user can send any Access-Request packet with a specially crafted Tunnel-Password attribute to trigger a null pointer dereference and cause the server to crash.

Impact:   A remote user can cause the target FreeRADIUS service to crash.
Solution:   Red Hat has released a fix.

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/freeradius-0.9.3-1.src.rpm

i386:
Available from Red Hat Network: freeradius-0.9.3-1.i386.rpm

ia64:
Available from Red Hat Network: freeradius-0.9.3-1.ia64.rpm

ppc:
Available from Red Hat Network: freeradius-0.9.3-1.ppc.rpm

s390:
Available from Red Hat Network: freeradius-0.9.3-1.s390.rpm

s390x:
Available from Red Hat Network: freeradius-0.9.3-1.s390x.rpm

x86_64:
Available from Red Hat Network: freeradius-0.9.3-1.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/freeradius-0.9.3-1.src.rpm

i386:
Available from Red Hat Network: freeradius-0.9.3-1.i386.rpm

The verification checksums are:

MD5 sum Package Name
772056b2c12810455f7b678d3a40be13 3AS/en/os/SRPMS/freeradius-0.9.3-1.src.rpm
6f81abead63e712ec5192a540961d3b4 3AS/en/os/i386/freeradius-0.9.3-1.i386.rpm
b9dc31545e9788e691078a66f3a678e7 3AS/en/os/ia64/freeradius-0.9.3-1.ia64.rpm
dc863939031dbc17037b2bf53b81deca 3AS/en/os/ppc/freeradius-0.9.3-1.ppc.rpm
31d153ae203488d9be3f892ce88183d7 3AS/en/os/s390/freeradius-0.9.3-1.s390.rpm
92602dc96ced6c962389e51d2b5d1f98 3AS/en/os/s390x/freeradius-0.9.3-1.s390x.rpm
1a21f0a959afa512b85c6b80e9dc8d1a 3AS/en/os/x86_64/freeradius-0.9.3-1.x86_64.rpm
772056b2c12810455f7b678d3a40be13 3ES/en/os/SRPMS/freeradius-0.9.3-1.src.rpm
6f81abead63e712ec5192a540961d3b4 3ES/en/os/i386/freeradius-0.9.3-1.i386.rpm

Vendor URL:  www.freeradius.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Linux)
Underlying OS Comments:  Red Hat Enterprise Linux 3

Message History:   This archive entry is a follow-up to the message listed below.
Nov 20 2003 FreeRADIUS String Tag Negative Integer Overflow Lets Remote Users Crash the Service



 Source Message Contents

Subject:  [RHSA-2003:386-01] Updated FreeRADIUS packages fix security issue


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated FreeRADIUS packages fix security issue
Advisory ID:       RHSA-2003:386-01
Issue date:        2003-12-10
Updated on:        2003-12-10
Product:           Red Hat Enterprise Linux
Keywords:          DoS
Cross references:  
Obsoletes:         
CVE Names:         CAN-2003-0967
- ---------------------------------------------------------------------

1. Topic:

Updated FreeRADIUS packages are now available that fix a denial of service
vulnerability.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386

3. Problem description:

FreeRADIUS is an Internet authentication daemon, which implements the
RADIUS protocol.  It allows Network Access Servers (NAS boxes) to perform
authentication for dial-up users.

The rad_decode function in FreeRADIUS 0.9.2 and earlier allows remote
attackers to cause a denial of service (crash) via a short RADIUS string
attribute with a tag, which causes memcpy to be called with a -1 length
argument, as demonstrated using the Tunnel-Password attribute.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0967 to this issue.
 
Users of FreeRADIUS are advised to upgrade to these erratum packages
containing FreeRADIUS 0.9.3 which is not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate.  The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

110901 - CAN-2003-0967/8 FreeRadius remote DoS

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/freeradius-0.9.3-1.src.rpm

i386:
Available from Red Hat Network: freeradius-0.9.3-1.i386.rpm

ia64:
Available from Red Hat Network: freeradius-0.9.3-1.ia64.rpm

ppc:
Available from Red Hat Network: freeradius-0.9.3-1.ppc.rpm

s390:
Available from Red Hat Network: freeradius-0.9.3-1.s390.rpm

s390x:
Available from Red Hat Network: freeradius-0.9.3-1.s390x.rpm

x86_64:
Available from Red Hat Network: freeradius-0.9.3-1.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/freeradius-0.9.3-1.src.rpm

i386:
Available from Red Hat Network: freeradius-0.9.3-1.i386.rpm



7. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
772056b2c12810455f7b678d3a40be13 3AS/en/os/SRPMS/freeradius-0.9.3-1.src.rpm
6f81abead63e712ec5192a540961d3b4 3AS/en/os/i386/freeradius-0.9.3-1.i386.rpm
b9dc31545e9788e691078a66f3a678e7 3AS/en/os/ia64/freeradius-0.9.3-1.ia64.rpm
dc863939031dbc17037b2bf53b81deca 3AS/en/os/ppc/freeradius-0.9.3-1.ppc.rpm
31d153ae203488d9be3f892ce88183d7 3AS/en/os/s390/freeradius-0.9.3-1.s390.rpm
92602dc96ced6c962389e51d2b5d1f98 3AS/en/os/s390x/freeradius-0.9.3-1.s390x.rpm
1a21f0a959afa512b85c6b80e9dc8d1a 3AS/en/os/x86_64/freeradius-0.9.3-1.x86_64.rpm
772056b2c12810455f7b678d3a40be13 3ES/en/os/SRPMS/freeradius-0.9.3-1.src.rpm
6f81abead63e712ec5192a540961d3b4 3ES/en/os/i386/freeradius-0.9.3-1.i386.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:
    
    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    
    md5sum <filename>


8. References:

http://marc.theaimsgroup.com/?l=freeradius-users&m=106947389449613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0967

9. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/11EhXlSAg2UNWIIRAliAAJ91Js70j6utfCtbQqcG6F2GXaPqWACfZKoS
L6S34bqrw7k0od27jpaG6v8=
=Rgyr
-----END PGP SIGNATURE-----

-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC