The make_secret() function does not properly check for output buffer size before writing data. It can perform a read or write overflow of up to 16 octets. The issue can happen when when the server is sending a RADIUS packet that is almost at the maximum (4K octets), and the last attribute in the packet is an Ascend-Send-Secret (or similar) attribute. The data being written is an MD5 digest of the shared secret, concatenated to data which is under the attackers control. This issue can also happen when receiving a packet that has an Ascend-Send-Secret (or similar) attribute of the wrong size. The server will read data past the end of the attribute, up to a limit of 16 octets. The security impact is denial of service by anyone who can send packets which are accepted by the server. Affected versions: 2.0.0 through 3.0.14, inclusive.
Acknowledgments: Name: the FreeRADIUS project Upstream: Guido Vranken
Created attachment 1295282 [details] Proposed patch
Created attachment 1296197 [details] Proposed patch for v3
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1471848]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1759 https://access.redhat.com/errata/RHSA-2017:1759
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2389 https://access.redhat.com/errata/RHSA-2017:2389
External References: http://freeradius.org/security/fuzzer-2017.html