CVE-2007-2028: vulnerable to memory exhaustion via malformed Diameter format attributes inside of an EAP-TTLS tunnel
Bug #106006 reported by
Kees Cook
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| freeradius (Fedora) |
Fix Released
|
Medium
|
|||
| freeradius (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Dapper |
Fix Released
|
Undecided
|
William Grant | ||
| Edgy |
Fix Released
|
Undecided
|
William Grant | ||
| Feisty |
Fix Released
|
Undecided
|
William Grant | ||
Bug Description
Binary package hint: freeradius
Security update from http://
"v1.1.5, and earlier - A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit.
We recommend that administrators using EAP-TTLS upgrade immediately.
This bug was found as part of the Coverity Scan project."
CVE References
Revision history for this message
| Eddie M. (eddiemartinez) wrote | #1 |
Revision history for this message
| Kees Cook (kees) wrote | #2 |
| Changed in freeradius: | |
| status: | New → Fix Released |
Revision history for this message
| William Grant (wgrant) wrote | #3 |
| Changed in freeradius: | |
| assignee: | nobody → fujitsu |
| status: | New → In Progress |
| assignee: | nobody → fujitsu |
| status: | New → In Progress |
| assignee: | nobody → fujitsu |
| status: | New → In Progress |
| Changed in freeradius: | |
| status: | Unknown → Fix Released |
| Changed in freeradius: | |
| status: | In Progress → Triaged |
| status: | In Progress → Triaged |
| status: | In Progress → Triaged |
| Changed in freeradius: | |
| status: | Triaged → In Progress |
| Changed in freeradius: | |
| status: | Triaged → In Progress |
| status: | Triaged → In Progress |
Revision history for this message
| William Grant (wgrant) wrote | #4 |
Revision history for this message
| William Grant (wgrant) wrote | #5 |
Revision history for this message
| William Grant (wgrant) wrote | #6 |
Revision history for this message
| Kees Cook (kees) wrote | #7 |
| Changed in freeradius: | |
| status: | In Progress → Fix Committed |
| status: | In Progress → Fix Committed |
| status: | In Progress → Fix Committed |
Revision history for this message
| William Grant (wgrant) wrote | #8 |
| Changed in freeradius: | |
| status: | Fix Committed → Fix Released |
| Changed in freeradius: | |
| status: | Fix Committed → Fix Released |
| status: | Fix Committed → Fix Released |
| Changed in freeradius (Fedora): | |
| importance: | Unknown → Medium |
To post a comment you must log in.
A flaw was found in the way FreeRADIUS parses certain authentication requests.
The upstream description explain it as such:
http://
2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send
malformed Diameter format attributes inside of an EAP-TTLS tunnel. The
server would reject the authentication request, but would leak one
VALUE_PAIR data structure, of approximately 300 bytes. If an attacker
performed the attack many times (e.g. thousands or more over a period of
minutes to hours), the server could leak megabytes of memory, potentially
leading to an "out of memory" condition, and early process exit.
We recommend that administrators using EAP-TTLS upgrade immediately.
This bug was found as part of the Coverity Scan project.
The EAP-TTLS support is not enabled by default in any FreeRADIUS
installations.
This flaw also affects RHEL 3 and 4.