911685 – (CVE-2013-0342) CVE-2013-0342 python-pyrad: CreateID() creates serialized packet IDs for RADIUS

Bug 911685 (CVE-2013-0342) - CVE-2013-0342 python-pyrad: CreateID() creates serialized packet IDs for RADIUS

Summary: CVE-2013-0342 python-pyrad: CreateID() creates serialized packet IDs for RADIUS

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2013-0342
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	894488 911687
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-15 16:12 UTC by Vincent Danen
Modified:	2019-09-29 13:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 11:00:06 UTC

Attachments	(Terms of Use)

Description Vincent Danen 2013-02-15 16:12:02 UTC

Nathaniel McCallum reported that pyrad was creating serialized RADIUS packet IDs in the CreateID() function in packet.py.  This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable.  As a result, the ID of the next packet sent can be spoofed.

This has been corrected in upstream's forthcoming version 2.1 via:

https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5

Comment 1 Vincent Danen 2013-02-15 16:13:20 UTC

Created python-pyrad tracking bugs for this issue

Affects: fedora-all [bug 894488]
Affects: epel-all [bug 911687]

Comment 2 Vincent Danen 2013-02-20 17:11:38 UTC


*** This bug has been marked as a duplicate of bug 911682 ***

Comment 3 Nathaniel McCallum 2013-02-20 22:56:31 UTC

The above patch does not apply to this issue as this issue is NOT a duplicate of bug 911682.

Comment 4 Vincent Danen 2013-02-20 23:04:31 UTC

Why is that?

If I look at the patch, I see the change to CreateID() on line 226/229 from using random.randrange() to random_generator.randrange().  Is that not the fix for this issue?

That is the only upstream patch applied in the last year and a half.

Comment 5 Nathaniel McCallum 2013-02-21 15:34:10 UTC

See: https://github.com/wichert/pyrad/blob/38f74b36814ca5b1a27d9898141126af4953bee5/pyrad/packet.py#L518

There are two CreateID() codepaths. One generates a random ID and the other generates a sequential ID. Neither checks for uniqueness.

To be fair, this predictability is only exploitable in the presence of another security problem. So the issue is minor and it would require a major upstream API rework. I don't know if upstream will accept any patch to fix this or even consider this a bug. Bug 911682 is far more serious.

I'm not sure how the CVE for this bug should be handled.

Comment 6 Vincent Danen 2013-02-21 23:13:16 UTC

Ok, I see it now.  Your initial report wasn't clear enough (pointing to actual code snippets instead of function names (when there are two identical) would have helped.

This is a bit messy now.  We did have two CVEs assigned, and MITRE rejected one based on their assumption (and my own) of that patch correcting both flaws.  I'll have to see if we can use the old one or if we need a new one again.

I've requested it on oss-sec now: http://www.openwall.com/lists/oss-security/2013/02/21/27

Comment 7 Vincent Danen 2013-02-22 17:05:57 UTC

CVE-2013-0342 was assigned to this issue:

http://www.openwall.com/lists/oss-security/2013/02/22/2

Comment 8 Product Security DevOps Team 2019-06-10 11:00:06 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.