The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of FreeRADIUS: buffer overflow via X.509

Synthesis of the vulnerability 

When FreeRADIUS is configured to authenticate users with 802.1X, an attacker can send a malicious client certificate, in order to generate an overflow, leading to code execution.
Impacted systems: Debian, Fedora, FreeRADIUS, Mandriva Linux, openSUSE, RHEL.
Severity of this alert: 3/4.
Creation date: 10/09/2012.
Références of this alert: BID-55483, CERTA-2012-AVI-493, CVE-2012-3547, DSA-2546-1, FEDORA-2012-15397, FEDORA-2012-15743, MDVSA-2012:159, MDVSA-2013:038, openSUSE-SU-2012:1200-1, PRE-SA-2012-06, RHSA-2012:1326-01, RHSA-2012:1327-01, VIGILANCE-VUL-11927.

Description of the vulnerability 

The FreeRADIUS server can process 802.1X authentications based on EAP with TLS, such as EAP-TLS, EAP-TTLS or PEAP. In this case, the client can send a X.509 client certificate to FreeRADIUS, in order to authenticate.

The cbtls_verify() function is then called to check the certificate. However, this function does not correctly check the size of a field in the certificate, before copying it to a 64 bit array. A buffer overflow then occurs.

When FreeRADIUS is configured to authenticate users with 802.1X, an attacker can therefore send a malicious client certificate, in order to generate an overflow, leading to code execution.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness alert impacts software or systems such as Debian, Fedora, FreeRADIUS, Mandriva Linux, openSUSE, RHEL.

Our Vigil@nce team determined that the severity of this weakness note is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this weakness bulletin.

Solutions for this threat 

FreeRADIUS: version 2.2.0.
The version 2.2.0 is corrected:
  http://freeradius.org/

Debian: new freeradius packages.
New packages are available:
  freeradius 2.1.10+dfsg-2+squeeze1

Fedora: new freeradius packages.
New packages are available:
  freeradius-2.2.0-0.fc16
  freeradius-2.2.0-0.fc17

Mandriva Business Server: new freeradius packages.
New packages are available:
  freeradius-2.1.12-9.1.mbs1

Mandriva: new freeradius packages.
New packages are available:
  freeradius-2.1.11-1.2-mdv2011.0

openSUSE: new freeradius-server packages.
New packages are available:
  openSUSE 11.4 : freeradius-server-2.1.10-8.1
  openSUSE 12.1 : freeradius-server-2.1.12-4.1
  openSUSE 12.2 : freeradius-server-2.1.12-4.4.1

RHEL: new freeradius packages.
New packages are available:
  freeradius2-2.1.12-4.el5_8
  freeradius-2.1.12-4.el6_3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities watch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.