Bug 1264121

Summary: freeradius: Decryption of very long Tunnel-Passwords can cause buffer overflow
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dpal, ebenes, fdvorak, jdennis, lemenkov, nikolai.kondrashov, pkis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeradius-2.2.9, freeradius-3.0.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:43:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1264123, 1340334    
Bug Blocks: 1264122    

Description Adam Mariš 2015-09-17 14:31:08 UTC 
A vulnerability in the decryption of very long Tunnel-Passwords was found. The decryption routines could walk off of the end of a buffer and write to adjacent addresses. The data being written is not under control of an attacker. The end result is usually a crash of the server. The packet decoder in FreeRADIUS ensures that the only time this issue is exploitable is when a proxy server receives a long Tunnel-Password attribute in the reply from a home server. The attack cannot be performed by a RADIUS client, or an end user. As such, the exploitability of the attack is limited to systems within the trusted RADIUS environment.

Vulnerability affects 3.0.x and 3.1.x versions. Versions 2.x don't seem to be exploitable.

External reference:

http://freeradius.org/security.html
Comment 1 Adam Mariš 2015-09-17 14:33:17 UTC 
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1264123]