Bug 1218467 (CVE-2015-8762, CVE-2015-8763, CVE-2015-8764)

Summary: CVE-2015-8762 CVE-2015-8763 CVE-2015-8764 freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer
Product: [Other] Security Response Reporter: Fabio Olive Leite <fleite>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dpal, ebenes, jrusnack, lemenkov, nikolai.kondrashov, vkaigoro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FreeRADIUS 3.0.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-02 03:30:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1248894    
Bug Blocks: 1218471    

Description Fabio Olive Leite 2015-05-05 01:41:53 UTC 
The FreeRADIUS project has reported a flaw that affects the EAP-PWD module
of the freeradius package versions 3.0 up to 3.0.8. This module is not
enabled by default, so administrators must have manually enabled it for
their servers to be vulnerable.

External References:

http://freeradius.org/security.html#eap-pwd-2015
Comment 1 Huzaifa S. Sidhpurwala 2015-07-31 06:28:13 UTC 
CVE Request:

http://seclists.org/oss-sec/2015/q3/261
Comment 2 Huzaifa S. Sidhpurwala 2015-07-31 06:30:33 UTC 
Statement:

This issue affects the version of freeradius as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.
Comment 3 Huzaifa S. Sidhpurwala 2015-07-31 06:32:55 UTC 
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1248894]
Comment 5 Adam Mariš 2016-01-11 13:31:28 UTC 
Three CVEs were assigned (http://seclists.org/oss-sec/2016/q1/52):

CVE-2015-8762: The EAP-PWD packet length is not checked before the first byte is
dereferenced. A zero-length EAP-PWD packet will cause the module to
dereference a NULL pointer, and will cause the server to crash.

CVE-2015-8763: The commit message payload length is not validated before the packet is decoded. This can result in a read overflow in the server. The confirm message payload length is not validated before the packet is decoded. This can result in a read overflow in the server.

CVE-2015-8764: A strcpy() was used to pack a C string into an EAP-PWD packet. This would result in an over-run of the destination buffer by one byte.