SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   FreeRADIUS Vendors:   FreeRADIUS Server Project
FreeRADIUS Certificate Validation Code Fails to Check for Revoked Intermediate CA Credentials
SecurityTracker Alert ID:  1032690
SecurityTracker URL:  http://securitytracker.com/id/1032690
CVE Reference:   CVE-2015-4680   (Links to External Site)
Date:  Jun 22 2015
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.2.7 and prior 2.x versions, 3.0.8 and prior 3.x versions
Description:   A vulnerability was reported in FreeRADIUS. A remote user can bypass security controls on the target system.

The system does not detect the revocation of intermediate certificate authority (CA) certificates. A remote user with a valid certificate issued by an intermediate CA can authenticate to the system.

The vendor was notified on June 17, 2015.

The original advisory is available at:

http://www.ocert.org/advisories/ocert-2015-008.html

An anonymous researcher reported this vulnerability.

Impact:   A remote user with a valid certificate issued by an intermediate CA can authenticate to the system.
Solution:   The vendor has issued a fix (2.2.8, 3.0.9).

The vendor's advisory is available at:

http://freeradius.org/security.html

Vendor URL:  freeradius.org/security.html (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] [oCERT-2015-008] FreeRADIUS insufficent CRL application


#2015-008 FreeRADIUS insufficent CRL application

Description:

The FreeRADIUS server is an open source project that provides a RADIUS
implementation.

The FreeRADIUS server relies on OpenSSL to perform certificate validation,
including Certificate Revocation List (CRL) checks. The FreeRADIUS usage of
OpenSSL, in CRL application, limits the checks to leaf certificates,
therefore not detecting revocation of intermediate CA certificates.

An unexpired client certificate, issued by an intermediate CA with a revoked
certificate, is therefore accepted by FreeRADIUS.

Specifically sets the X509_V_FLAG_CRL_CHECK flag for leaf certificate CRL
checks, but does not use X509_V_FLAG_CRL_CHECK_ALL for CRL checks on the
complete trust chain.

The FreeRADIUS project advises that the recommended configuration is to use
self-signed CAs for all EAP-TLS methods.

Affected version:

   FreeRADIUS <= 2.2.7, <= 3.0.8

Fixed version:

   FreeRADIUS >= 2.2.8, >= 3.0.9

Credit: vulnerability anonymously reported.

CVE: CVE-2015-4680

Timeline:

2015-06-17: vulnerability report received
2015-06-18: contacted FreeRADIUS security maintainer
2015-06-18: patch provided by maintainer
2015-06-19: assigned CVE
2015-06-22: advisory release

References:
https://github.com/FreeRADIUS/freeradius-server/blob/b28326004379260ca2fe7b8884f813d90a741197/src/main/tls.c#L2111
https://github.com/FreeRADIUS/freeradius-server/blob/b28326004379260ca2fe7b8884f813d90a741197/src/main/tls.c#L2595
http://freeradius.org/security.html

Permalink:
http://www.ocert.org/advisories/ocert-2015-008.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC