Red Hat Bugzilla – Bug 236248
CVE-2007-2028 Freeradius EAP-TTLS denial of service
Last modified: 2007-11-30 17:12:02 EST
+++ This bug was initially created as a clone of Bug #236247 +++
A flaw was found in the way FreeRADIUS parses certain authentication requests.
The upstream description explain it as such:
2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send
malformed Diameter format attributes inside of an EAP-TTLS tunnel. The
server would reject the authentication request, but would leak one
VALUE_PAIR data structure, of approximately 300 bytes. If an attacker
performed the attack many times (e.g. thousands or more over a period of
minutes to hours), the server could leak megabytes of memory, potentially
leading to an "out of memory" condition, and early process exit.
We recommend that administrators using EAP-TTLS upgrade immediately.
This bug was found as part of the Coverity Scan project.
The EAP-TTLS support is not enabled by default in any FreeRADIUS
This flaw also affects FC5
-- Additional comment from email@example.com on 2007-04-12 13:31 EST --
Created an attachment (id=152488)
freeradius-1.1.3-2.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.