Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri,  8 Jan 2016 14:55:17 -0500 (EST)
From: cve-assign@...re.org
To: huzaifas@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, jmm@...ian.org
Subject: Re: CVE Request: freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The FreeRADIUS project has reported a flaw that affects the EAP-PWD
> module of the freeradius package versions 3.0 up to 3.0.8. This module
> is not enabled by default, so administrators must have manually enabled
> it for their servers to be vulnerable.
> 
> http://freeradius.org/security.html#eap-pwd-2015

We have revisited this and decided that it needs unique CVE IDs. As
mentioned on that security.html page, "These issues were found by
Jouni Malinen as part of investigating
http://w1.fi/security/2015-4/" - this suggested a possibility that the
CVE IDs listed in
http://www.openwall.com/lists/oss-security/2015/05/31/6 would be
applicable. However, FreeRADIUS apparently has an independent
implementation of EAP-pwd. This led to a somewhat unusual situation in
which most of the vulnerability findings were, at a high level, the
same -- but resulted from a different set of mistakes within a
different codebase. The applicable FreeRADIUS changes can be found in
the "Commits on May 4, 2015" section of:

  https://github.com/FreeRADIUS/freeradius-server/commits/v3.0.x/src/modules/rlm_eap/types/rlm_eap_pwd

and are distinct from the changes in the http://w1.fi/security/2015-4/
patches.

We are associating the three CVE IDs below with the items on the
security.html list, not with the specific FreeRADIUS commits.


>> The EAP-PWD packet length is not checked before the first byte is
>> dereferenced. A zero-length EAP-PWD packet will cause the module to
>> dereference a NULL pointer, and will cause the server to crash.

Use CVE-2015-8762.


>> The commit message payload length is not validated before the packet
>> is decoded. This can result in a read overflow in the server.
>> 
>> The confirm message payload length is not validated before the packet
> is decoded. This can result in a read overflow in the server.

Use CVE-2015-8763 for both of these issues.


>> A strcpy() was used to pack a C string into an EAP-PWD packet. This
>> would result in an over-run of the destination buffer by one byte.

Use CVE-2015-8764.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWkBOHAAoJEL54rhJi8gl5Od0P/1Y8DafilHgNgmQP4D5DfdfB
x9yuBDJt/rr8NnrbXsIjkuQMIB+UolyAcgEB4CDqiwh4SyYeZSbO1rj3zP0/1uS1
TyjLGLLiKHc3B53vEK/m3tAZ1M5GEsp3rIH+McCsbip+WlDpkuKexJ8E0kBleWiH
Mg5UslARv6b7yS5QIoH93MiiZSl+w0V0UtWIkEP1BfCskJhj9DvVd161hyRDcT7m
ZG52NdBYzCUYP4BC58qEPYtGwM1+OMjaHa6MjkpzqvubMwtdzGK15zcljy/yvN6k
oY7euhV55PbPsajuzHihBWWp0oejl5gBEiGX6fqCUS8BIoadaOFI9hKkWEBVKnav
wrE7+f03C2GO/rs46jp1737qtNzIrBklyTblDItLDA1QDqpc5q/Sb9xlLycZ9o8H
v++vSz3ZQILfi72T7BhhdMl5SQlfNuxdDw0BJBA6tC2+1thZWZBpIg/lXajHo9r9
E3qszBo0cmh5MSAEdWOMGEInt9DvHymPTcXEtZYFQph54Xb1YS/YYpItX9w5e7e+
nciRvLRFQwWzC0XJKv9klliStJygxW0g27StoMXncnDchRiIiBV4ypgPJITawi0L
9LWMSpAhS2VYAAJQjchLaUHFAHgmXwsIKEJJ2k7iuUXF6Qytee3k2uRieRQ3Rvx0
XhrlBiLeO/vhmZJ8trch
=16O5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ