Bug 1468550 - (CVE-2017-10985) CVE-2017-10985 freeradius: Infinite loop and memory exhaustion with 'concat' attributes
CVE-2017-10985 freeradius: Infinite loop and memory exhaustion with 'concat' ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170717,repor...
: Security
Depends On: 1469416 1471863 1469417
Blocks: 1468570
  Show dependency treegraph
 
Reported: 2017-07-07 07:48 EDT by Adam Mariš
Modified: 2017-08-02 05:48 EDT (History)
6 users (show)

See Also:
Fixed In Version: freeradius 3.0.15
Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to cause the FreeRADIUS server to enter an infinite loop, consume increasing amounts of memory resources, and ultimately crash by sending a specially crafted request packet.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-02 05:41:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (1.87 KB, patch)
2017-07-07 08:06 EDT, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2017-07-07 07:48:21 EDT
When the server receives zero-length attributes marked 'concat' in the dictionaries, it could go into an infinite loop and exhaust memory. The issue happens when the server receives a packet containing the following attribute data: 4f 02, 89 02, 90 02, or b4 02.

The security impact is denial of service by anyone who can send packets which are accepted by the server.

Affected versions: 3.0.0 through 3.0.14, inclusive.
Comment 1 Adam Mariš 2017-07-07 07:48:26 EDT
Acknowledgments:

Name: the FreeRADIUS project
Upstream: Guido Vranken
Comment 2 Adam Mariš 2017-07-07 08:06 EDT
Created attachment 1295269 [details]
Proposed patch
Comment 5 Dhiru Kholia 2017-07-17 10:37:56 EDT
Created freeradius tracking bugs for this issue:

Affects: fedora-all [bug 1471863]
Comment 6 errata-xmlrpc 2017-08-01 19:25:14 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2389 https://access.redhat.com/errata/RHSA-2017:2389
Comment 7 Dhiru Kholia 2017-08-02 05:42:05 EDT
External References:

http://freeradius.org/security/fuzzer-2017.html

Note You need to log in before you can comment on or make changes to this bug.