Arch Linux Security Advisory ASA-201707-23

Severity: Critical
Date : 2017-07-18
CVE-ID : CVE-2017-10978 CVE-2017-10983 CVE-2017-10984 CVE-2017-10985
CVE-2017-10986 CVE-2017-10987
Package : freeradius
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-357

Summary

The package freeradius before version 3.0.15-1 is vulnerable to
multiple issues including arbitrary code execution and denial of
service.

Resolution

Upgrade to 3.0.15-1.

pacman -Syu “freeradius>=3.0.15-1”

The problems have been fixed upstream in version 3.0.15.

Workaround

None.

Description

• CVE-2017-10978 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
make_secret() function does not properly check for output buffer size
before writing data. A remote attacker with the ability to send packets
which are accepted by the server can perform a read or write overflow
of up to 16 octets, causing a denial of service.

• CVE-2017-10983 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode() function performed a strcmp() on binary data in an
internal data structure, instead of checking the length of the option
and doing a memcmp. A remote attacker with the ability to send packets
which are accepted by the server can make the server read its memory
until it reaches a zero byte or crashes, causing a denial of service.

• CVE-2017-10984 (arbitrary code execution)

A security issue has been found in freeradius <= 3.0.15, where the
data2vp_wimax() function checks for WiMAX attributes which are too
small, but it does not check for WiMAX attributes which are too large.
As a result, the server can be convinced to read past the end of an
attribute, and to write past the end of memory allocated via malloc().
A remote attacker with the ability to send packets which are accepted
by the server can cause a write overflow, possibly leading to remote
code execution.

• CVE-2017-10985 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
server could go into an infinite loop and exhaust memory when it
receives zero-length attributes marked ‘concat’ in the dictionaries.

• CVE-2017-10986 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
dhcp_attr2vp() function, when decoding “string” options in an array,
could be convinced to call memchr() with a length argument of -1. This
could result in an over-read until the first zero octet was found, or a
page fault occurred.

• CVE-2017-10987 (denial of service)

A security issue has been found in freeradius <= 3.0.15, where the
fr_dhcp_decode_suboptions() function does not properly check if sub-
options overflow the packet.

Impact

A remote attacker with the ability to send packets which are accepted
by the server can cause a denial of service or execute arbitrary code
on the affected host via a crafted packet.

References

http://freeradius.org/security/fuzzer-2017.html
http://freeradius.org/security/fuzzer-2017.html#FR-GV-201
https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68
https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f
http://freeradius.org/security/fuzzer-2017.html#FR-GV-206
https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d
http://freeradius.org/security/fuzzer-2017.html#FR-GV-301
https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6
http://freeradius.org/security/fuzzer-2017.html#FR-GV-302
https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97
http://freeradius.org/security/fuzzer-2017.html#FR-GV-303
https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c
http://freeradius.org/security/fuzzer-2017.html#FR-GV-304
https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866
https://security.archlinux.org/CVE-2017-10978
https://security.archlinux.org/CVE-2017-10983
https://security.archlinux.org/CVE-2017-10984
https://security.archlinux.org/CVE-2017-10985
https://security.archlinux.org/CVE-2017-10986
https://security.archlinux.org/CVE-2017-10987