Bug 7447

Summary: freeradius new security issue CVE-2012-3547
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, nanardon, oe, shlomif, sysadmin-bugs, tmb
Version: 2Keywords: Security, validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/515819/
Whiteboard: MGA2-32-OK MGA2-64-OK
Source RPM: freeradius-2.1.12-8.mga2.src.rpm CVE:
Status comment:
Bug Depends on: 8912    
Bug Blocks:    

Description David Walser 2012-09-11 14:29:10 CEST 
As was reported on IRC by oden, the version in Cauldron is not affected.
David Walser 2012-09-11 14:29:48 CEST

CC: (none) => nanardon
Assignee: bugsquad => nanardon

Comment 1 David Walser 2012-09-12 21:50:55 CEST 
Upstream advisory:
http://freeradius.org/security.html

URL: http://freeradius.org/security.html => http://lwn.net/Vulnerabilities/515819/

Comment 2 David Walser 2012-09-12 21:51:23 CEST 
Debian has issued an advisory for this on September 11:
http://www.debian.org/security/2012/dsa-2546
Comment 3 David Walser 2012-10-03 14:46:49 CEST 
Mandriva has issued an advisory for this today (October 3):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159

CC: (none) => oe

Comment 4 David Walser 2012-10-09 23:51:33 CEST 
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated freeradius packages fix security vulnerability:

Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS
2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote
attackers to cause a denial of service (server crash) and possibly
execute arbitrary code via a long not after timestamp in a client
certificate (CVE-2012-3547).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
http://freeradius.org/security.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159
========================

Updated packages in core/updates_testing:
========================
freeradius-2.1.12-8.1.mga2
freeradius-krb5-2.1.12-8.1.mga2
freeradius-ldap-2.1.12-8.1.mga2
freeradius-postgresql-2.1.12-8.1.mga2
freeradius-mysql-2.1.12-8.1.mga2
freeradius-unixODBC-2.1.12-8.1.mga2
freeradius-sqlite-2.1.12-8.1.mga2
libfreeradius1-2.1.12-8.1.mga2
libfreeradius-devel-2.1.12-8.1.mga2
freeradius-web-2.1.12-8.1.mga2

from freeradius-2.1.12-8.1.mga2.src.rpm

Assignee: nanardon => qa-bugs
Severity: normal => major

Comment 5 claire robinson 2012-10-11 16:46:59 CEST 
Some simple tests here in 'Initial Tests'

http://freeradius.org/doc/
Comment 6 claire robinson 2012-10-11 16:49:17 CEST 
No PoC's
Comment 7 Shlomi Fish 2012-10-18 21:20:38 CEST 
Hi all,

with freeradius-2.1.12-8.1.mga2, I am getting:

root@lap:/etc/raddb$ radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-mageia-linux-gnu, built on Oct  9 2012 at 21:46:09
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
WARNING: No such configuration item certdir
/etc/raddb/eap.conf[284]: Reference "${certdir}/bootstrap" not found
Errors reading /etc/raddb/radiusd.conf
root@lap:/etc/raddb$ rpm -q freeradius
freeradius-2.1.12-8.1.mga2

Something seems wrong and I don't know how to fix it.

Mageia 2, x86-64.

CC: (none) => shlomif

Comment 8 Shlomi Fish 2012-10-18 21:31:00 CEST 
OK, it also happens with freeradius-2.1.12-8.mga2 (the one not in updates_testing).
Comment 9 Samuel Verschelde 2012-10-18 21:41:57 CEST 
to Olivier Thauvin: is what Shlomi Fish reports normal, or is there a problem in the package? And if there's a problem, do you want to fix it in this update or shall we try to push the security fix first? (with testing steps to pass the above issue please, since we don't know about this package well)
Samuel Verschelde 2012-10-18 21:42:07 CEST

Whiteboard: (none) => feedback

Comment 10 Olivier Thauvin 2012-10-18 22:18:47 CEST 
Please update the security fix first, I am very busy and don't know when I'll look at this.
Samuel Verschelde 2012-10-18 22:28:32 CEST

Whiteboard: feedback => (none)

Comment 11 Dave Hodgins 2012-10-24 02:52:23 CEST 
In order to get the server to start,
comment out line 284 in /etc/raddb/eap.conf

In /lib/systemd/system/radiusd.service change the chown command to have
radius:radius instead of radiusd.radiusd

After the above changes, the service starts ok. Still looking into how to
test it.

CC: (none) => davidwhodgins

Comment 12 Dave Hodgins 2012-10-24 03:02:00 CEST 
http://en.wikipedia.org/wiki/RADIUS has a description of what a radius server is.

http://freeradius.org/doc/ seems to have some basic tests, that should be
enough for testing this update.
Comment 13 Dave Hodgins 2012-10-24 03:22:09 CEST 
[dave@i2v ~]$ radtest testing password 127.0.0.1 0 testing123
Sending Access-Request of id 194 to 127.0.0.1 port 1812
        User-Name = "testing"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=194, length=20

The server is responding.  I think that's about all we should
test for this update.

Testing complete on Mageia 2 i586.

I think /lib/systemd/system/radiusd.service will get overwritten
by the update, so the advisory should also state that it may
need to be fixed.

Whiteboard: (none) => MGA2-32-OK

Comment 14 Dave Hodgins 2012-10-26 03:47:14 CEST 
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
freeradius-2.1.12-8.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated freeradius packages fix security vulnerability:

Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS
2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote
attackers to cause a denial of service (server crash) and possibly
execute arbitrary code via a long not after timestamp in a client
certificate (CVE-2012-3547).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
http://freeradius.org/security.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159

Note that there are known errors included in this update, that will
be fixed in a later, bugfix update.  For details, see
https://bugs.mageia.org/show_bug.cgi?id=7447#c11

Keywords: (none) => Security, validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA2-32-OK => MGA2-32-OK MGA2-64-OK

Comment 15 Thomas Backlund 2012-10-29 00:38:09 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0304

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

claire robinson 2013-01-31 12:07:54 CET

Depends on: (none) => 8912