Red Hat Bugzilla – Bug 236247
CVE-2007-2028 Freeradius EAP-TTLS denial of service
Last modified: 2007-11-30 17:07:43 EST
A flaw was found in the way FreeRADIUS parses certain authentication requests.
The upstream description explain it as such:
2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send
malformed Diameter format attributes inside of an EAP-TTLS tunnel. The
server would reject the authentication request, but would leak one
VALUE_PAIR data structure, of approximately 300 bytes. If an attacker
performed the attack many times (e.g. thousands or more over a period of
minutes to hours), the server could leak megabytes of memory, potentially
leading to an "out of memory" condition, and early process exit.
We recommend that administrators using EAP-TTLS upgrade immediately.
This bug was found as part of the Coverity Scan project.
The EAP-TTLS support is not enabled by default in any FreeRADIUS
This flaw also affects RHEL 3 and 4.
Created attachment 152488 [details]
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.