Red Hat Bugzilla – Bug 236248
CVE-2007-2028 Freeradius EAP-TTLS denial of service
Last modified: 2007-11-30 17:12:02 EST
+++ This bug was initially created as a clone of Bug #236247 +++ A flaw was found in the way FreeRADIUS parses certain authentication requests. The upstream description explain it as such: http://www.freeradius.org/security.html 2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit. We recommend that administrators using EAP-TTLS upgrade immediately. This bug was found as part of the Coverity Scan project. The EAP-TTLS support is not enabled by default in any FreeRADIUS installations. This flaw also affects FC5 -- Additional comment from bressers@redhat.com on 2007-04-12 13:31 EST -- Created an attachment (id=152488) Upstream Patch
freeradius-1.1.3-2.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.