Bug 639390 (CVE-2010-3696)

Summary: CVE-2010-3696 freeradius: DoS via certain DHCP requests
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aland, dpal, jdennis, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20100530,reported=20100928,source=internet,impact=low,cvss2=4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P/,rhel-6/freeradius=affected/cvss2=4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P,fedora-all/freeradius=affected/cvss2=4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P,rhel-5/freeradius=notaffected,rhel-4/freeradius=notaffected,rhel-3/freeradius=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-25 05:51:32 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 639488, 639489, 639490    
Bug Blocks:    

Description Vincent Danen 2010-10-01 12:00:40 EDT
It was reported [1],[2] that an error when processing DHCP requests with the 'Relay Agent Information' option (82) in src/lib/dhcp.c could be exploited to cause an infinite loop, in the process denying further requests via a packet with multiple sub-options.

According to the upstream report, this flaw seems to only affect 2.1.9 and was fixed [3] in 2.1.10.

[1] https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=77
[2] http://secunia.com/advisories/41621
[3] http://github.com/alandekok/freeradius-server/commit/4dc7800b866f889a1247685bbaa6dd4238a56279

The offending file (dhcp.c) is not present in the version of freeradius as provided with Red Hat Enterprise Linux 5 (1.1.3).
Comment 2 Vincent Danen 2010-10-01 17:52:27 EDT
This issue has been assigned the name CVE-2010-3696.
Comment 5 Vincent Danen 2010-10-01 17:58:57 EDT
Created freeradius tracking bugs for this issue

Affects: fedora-all [bug 639490]
Comment 6 aland 2010-10-03 12:46:50 EDT
It would help to talk to the vendor before requesting a CVE, and filing a
security issue.

 1) the code is *not* built as part of the default installation
    You have to go out of your way to enable it

 2) the functionality is marked as "not for production use".
    i.e. if it affects your production network, it's not our fault

i.e. this is NOT a security issue in any binary shipped by any OS vendor.  It is not a security issue in the default installation of FreeRADIUS.
Comment 7 Tomas Hoger 2010-11-25 05:51:32 EST
As Alan commented above, DHCP support is not enabled upstream by default, and is not enabled in Fedora and Red Hat Enterprise Linux FreeRADIUS packages.

Alan, thank you for your comments!


Not vulnerable. This issue did not affect the versions of freeradius as shipped with Red Hat Enterprise Linux 4, 5, or 6.
Comment 8 Vincent Danen 2011-05-03 12:50:25 EDT
Upstream has made the following public dispute to this flaw (http://freeradius.org/security.html):

2010.10.01 CVE-2010-3696 - This issue was filed without consulting with us, and we do not agree with the assessment.

The correct summary is that modifying the source code to the server can cause it to crash. The DHCP code is clearly marked "experimental", and is not normally included in the server binaries. It should be no surprise, therefore, that experimental and untested features do not work properly.

We recommend that people run experimental code in a closed environment. People who want a fix to this issue can upgrade to the latest version of the server.