Bug 33388

Summary:	freeradius new security issue CVE-2024-3596
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	andrewsfarm, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	freeradius-3.0.26-1.2.mga9.src.rpm	CVE:	CVE-2024-3596
Status comment:	Fixed upstream in 3.0.27

Description Nicolas Salguero 2024-07-10 09:55:22 CEST

That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/07/09/4

For Cauldron, version 3.2.5 is already built.

For Mageia 9, version 3.0.27 is needed.

Comment 1 Nicolas Salguero 2024-07-10 10:01:31 CEST

I think we also need to tell to users who already deployed freeradius that they need to update their radiusd.conf file to add the following two lines into the security section:
"""
require_message_authenticator = auto
limit_proxy_state = auto
"""

See: https://www.freeradius.org/security/

CVE: (none) => CVE-2024-3596
Status comment: (none) => Fixed upstream in 3.0.27
Source RPM: (none) => freeradius-3.0.26-1.2.mga9.src.rpm

Comment 2 Lewis Smith 2024-07-10 20:24:49 CEST

Assigning this directly to DavidG who has done all recent maintenance of this SRPM.

Assignee: bugsquad => geiger.david68210

Comment 3 David GEIGER 2024-07-13 12:45:21 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
freeradius-3.0.27-1.mga9
freeradius-krb5-3.0.27-1.mga9
freeradius-ldap-3.0.27-1.mga9
freeradius-mysql-3.0.27-1.mga9
freeradius-postgresql-3.0.27-1.mga9
freeradius-sqlite-3.0.27-1.mga9
freeradius-unixODBC-3.0.27-1.mga9
freeradius-yubikey-3.0.27-1.mga9
libfreeradius-devel-3.0.27-1.mga9
libfreeradius1-3.0.27-1.mga9
lib64freeradius-devel-3.0.27-1.mga9
lib64freeradius1-3.0.27-1.mga9

From SRPMS:
freeradius-3.0.27-1.mga9.src.rpm


Note: these two lines are added upstream in the default radiusd.conf file:

"""
require_message_authenticator = auto
limit_proxy_state = auto
"""

Assignee: geiger.david68210 => qa-bugs

katnatek 2024-07-13 18:01:08 CEST

Keywords: (none) => advisory

Comment 4 katnatek 2024-07-13 19:39:57 CEST

RH mageia 9 x86_64 

 LC_ALL=C urpmi freeradius-krb5 freeradius-ldap freeradius-mysql freeradius-postgresql freeradius-sqlite freeradius-unixODBC freeradius-yubikey
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  freeradius                     3.0.27       1.mga9        x86_64  
  freeradius-krb5                3.0.27       1.mga9        x86_64  
  freeradius-ldap                3.0.27       1.mga9        x86_64  
  freeradius-mysql               3.0.27       1.mga9        x86_64  
  freeradius-postgresql          3.0.27       1.mga9        x86_64  
  freeradius-sqlite              3.0.27       1.mga9        x86_64  
  freeradius-unixODBC            3.0.27       1.mga9        x86_64  
  freeradius-yubikey             3.0.27       1.mga9        x86_64  
  lib64freeradius1               3.0.27       1.mga9        x86_64  
(medium "Core Release (distrib1)")
  lib64hiredis0.13               0.13.3       8.mga9        x86_64  
  lib64memcached11               1.0.18       9.mga9        x86_64  
  lib64ykclient3                 2.15         4.mga9        x86_64  
  lib64yubikey0                  1.13         4.mga9        x86_64  
  perl-Net-IP                    1.260.0      10.mga9       noarch  
(medium "Core Updates (distrib3)")
  lib64pq5                       15.7         1.mga9        x86_64  
  lib64unixODBC2                 2.3.11       1.1.mga9      x86_64  
12MB of additional disk space will be used.
2.9MB of packages will be retrieved.
Proceed with the installation of the 16 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64memcached11-1.0.18-9.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64yubikey0-1.13-4.mga9.x86_64.rpm           
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64hiredis0.13-0.13.3-8.mga9.x86_64.rpm      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/perl-Net-IP-1.260.0-10.mga9.noarch.rpm         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64ykclient3-2.15-4.mga9.x86_64.rpm          
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64pq5-15.7-1.mga9.x86_64.rpm                
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64unixODBC2-2.3.11-1.1.mga9.x86_64.rpm      
installing //home/katnatek/qa-testing/x86_64/lib64freeradius1-3.0.27-1.mga9.x86_64.rpm                                              
//home/katnatek/qa-testing/x86_64/freeradius-yubikey-3.0.27-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/freeradius-3.0.27-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64ykclient3-2.15-4.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/freeradius-postgresql-3.0.27-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/freeradius-ldap-3.0.27-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/freeradius-unixODBC-3.0.27-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/freeradius-mysql-3.0.27-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64pq5-15.7-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64memcached11-1.0.18-9.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64yubikey0-1.13-4.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64hiredis0.13-0.13.3-8.mga9.x86_64.rpm
/var/cache/urpmi/rpms/perl-Net-IP-1.260.0-10.mga9.noarch.rpm
/var/cache/urpmi/rpms/lib64unixODBC2-2.3.11-1.1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/freeradius-sqlite-3.0.27-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/freeradius-krb5-3.0.27-1.mga9.x86_64.rpm
Preparing...                     ##################################################################################################
     1/16: lib64unixODBC2        ##################################################################################################
     2/16: perl-Net-IP           ##################################################################################################
     3/16: lib64hiredis0.13      ##################################################################################################
     4/16: lib64yubikey0         ##################################################################################################
     5/16: lib64memcached11      ##################################################################################################
     6/16: lib64pq5              ##################################################################################################
     7/16: lib64ykclient3        ##################################################################################################
     8/16: lib64freeradius1      ##################################################################################################
     9/16: freeradius            ##################################################################################################
Generating DH parameters, 2048 bit long safe prime

#some omited output here ;)

    10/16: freeradius-yubikey    ##################################################################################################
    11/16: freeradius-postgresql ##################################################################################################
    12/16: freeradius-ldap       ##################################################################################################
    13/16: freeradius-unixODBC   ##################################################################################################
    14/16: freeradius-mysql      ##################################################################################################
    15/16: freeradius-sqlite     ##################################################################################################
    16/16: freeradius-krb5       ##################################################################################################

Reference bug#31291 comment#4

systemctl start radiusd
systemctl -l status radiusd
● radiusd.service - FreeRADIUS high performance RADIUS server.
     Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-07-13 11:34:18 CST; 19s ago
    Process: 401827 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
    Process: 401829 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
   Main PID: 401831 (radiusd)
      Tasks: 6 (limit: 6880)
     Memory: 42.2M
        CPU: 266ms
     CGroup: /system.slice/radiusd.service
             └─401831 /usr/sbin/radiusd -d /etc/raddb

jul 13 11:34:18 jgrey.phoenix systemd[1]: Starting radiusd.service...
jul 13 11:34:18 jgrey.phoenix systemd[1]: Started radiusd.service.

echo 'testing Cleartext-Password := "password"' >> /etc/raddb/users
systemctl restart radiusd
systemctl -l status radiusd
● radiusd.service - FreeRADIUS high performance RADIUS server.
     Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-07-13 11:35:52 CST; 25s ago
    Process: 404795 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
    Process: 404797 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
   Main PID: 404799 (radiusd)
      Tasks: 6 (limit: 6880)
     Memory: 41.9M
        CPU: 251ms
     CGroup: /system.slice/radiusd.service
             └─404799 /usr/sbin/radiusd -d /etc/raddb

jul 13 11:35:52 jgrey.phoenix systemd[1]: Starting radiusd.service...
jul 13 11:35:52 jgrey.phoenix systemd[1]: Started radiusd.service.

radtest testing password 127.0.0.1 0 testing123
Sent Access-Request Id 140 from 0.0.0.0:36064 to 127.0.0.1:1812 length 77
        User-Name = "testing"
        User-Password = "password"
        NAS-IP-Address = 192.168.1.3
        NAS-Port = 0
        Cleartext-Password = "password"
Received Access-Accept Id 140 from 127.0.0.1:1812 to 127.0.0.1:36064 length 38
        Message-Authenticator = 0x8271cce4da81f884ff192a4127f79548

Consistent with reference and previous round bug#33312 comment#3

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-07-14 02:30:55 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-07-14 07:24:36 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0264.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED