Bug 1264121 - freeradius: Decryption of very long Tunnel-Passwords can cause buffer overflow
freeradius: Decryption of very long Tunnel-Passwords can cause buffer overflow
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1264123 1340334
Blocks: 1264122
  Show dependency treegraph
Reported: 2015-09-17 10:31 EDT by Adam Mariš
Modified: 2017-06-19 07:16 EDT (History)
7 users (show)

See Also:
Fixed In Version: freeradius-2.2.9, freeradius-3.0.10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-09-17 10:31:08 EDT
A vulnerability in the decryption of very long Tunnel-Passwords was found. The decryption routines could walk off of the end of a buffer and write to adjacent addresses. The data being written is not under control of an attacker. The end result is usually a crash of the server. The packet decoder in FreeRADIUS ensures that the only time this issue is exploitable is when a proxy server receives a long Tunnel-Password attribute in the reply from a home server. The attack cannot be performed by a RADIUS client, or an end user. As such, the exploitability of the attack is limited to systems within the trusted RADIUS environment.

Vulnerability affects 3.0.x and 3.1.x versions. Versions 2.x don't seem to be exploitable.

External reference:

Comment 1 Adam Mariš 2015-09-17 10:33:17 EDT
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1264123]

Note You need to log in before you can comment on or make changes to this bug.