The FreeRADIUS project has reported a flaw that affects the EAP-PWD module of the freeradius package versions 3.0 up to 3.0.8. This module is not enabled by default, so administrators must have manually enabled it for their servers to be vulnerable. External References: http://freeradius.org/security.html#eap-pwd-2015
CVE Request: http://seclists.org/oss-sec/2015/q3/261
Statement: This issue affects the version of freeradius as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates.
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1248894]
Three CVEs were assigned (http://seclists.org/oss-sec/2016/q1/52): CVE-2015-8762: The EAP-PWD packet length is not checked before the first byte is dereferenced. A zero-length EAP-PWD packet will cause the module to dereference a NULL pointer, and will cause the server to crash. CVE-2015-8763: The commit message payload length is not validated before the packet is decoded. This can result in a read overflow in the server. The confirm message payload length is not validated before the packet is decoded. This can result in a read overflow in the server. CVE-2015-8764: A strcpy() was used to pack a C string into an EAP-PWD packet. This would result in an over-run of the destination buffer by one byte.