Arch Linux Security Advisory ASA-201707-23 ========================================== Severity: Critical Date : 2017-07-18 CVE-ID : CVE-2017-10978 CVE-2017-10983 CVE-2017-10984 CVE-2017-10985 CVE-2017-10986 CVE-2017-10987 Package : freeradius Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-357 Summary ======= The package freeradius before version 3.0.15-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 3.0.15-1. # pacman -Syu "freeradius>=3.0.15-1" The problems have been fixed upstream in version 3.0.15. Workaround ========== None. Description =========== - CVE-2017-10978 (denial of service) A security issue has been found in freeradius <= 3.0.15, where the make_secret() function does not properly check for output buffer size before writing data. A remote attacker with the ability to send packets which are accepted by the server can perform a read or write overflow of up to 16 octets, causing a denial of service. - CVE-2017-10983 (denial of service) A security issue has been found in freeradius <= 3.0.15, where the fr_dhcp_decode() function performed a strcmp() on binary data in an internal data structure, instead of checking the length of the option and doing a memcmp. A remote attacker with the ability to send packets which are accepted by the server can make the server read its memory until it reaches a zero byte or crashes, causing a denial of service. - CVE-2017-10984 (arbitrary code execution) A security issue has been found in freeradius <= 3.0.15, where the data2vp_wimax() function checks for WiMAX attributes which are too small, but it does not check for WiMAX attributes which are too large. As a result, the server can be convinced to read past the end of an attribute, and to write past the end of memory allocated via malloc(). A remote attacker with the ability to send packets which are accepted by the server can cause a write overflow, possibly leading to remote code execution. - CVE-2017-10985 (denial of service) A security issue has been found in freeradius <= 3.0.15, where the server could go into an infinite loop and exhaust memory when it receives zero-length attributes marked 'concat' in the dictionaries. - CVE-2017-10986 (denial of service) A security issue has been found in freeradius <= 3.0.15, where the dhcp_attr2vp() function, when decoding "string" options in an array, could be convinced to call memchr() with a length argument of -1. This could result in an over-read until the first zero octet was found, or a page fault occurred. - CVE-2017-10987 (denial of service) A security issue has been found in freeradius <= 3.0.15, where the fr_dhcp_decode_suboptions() function does not properly check if sub- options overflow the packet. Impact ====== A remote attacker with the ability to send packets which are accepted by the server can cause a denial of service or execute arbitrary code on the affected host via a crafted packet. References ========== http://freeradius.org/security/fuzzer-2017.html http://freeradius.org/security/fuzzer-2017.html#FR-GV-201 https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68 https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d http://freeradius.org/security/fuzzer-2017.html#FR-GV-301 https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 https://security.archlinux.org/CVE-2017-10978 https://security.archlinux.org/CVE-2017-10983 https://security.archlinux.org/CVE-2017-10984 https://security.archlinux.org/CVE-2017-10985 https://security.archlinux.org/CVE-2017-10986 https://security.archlinux.org/CVE-2017-10987