Multiple issues found by Guido Vranken allow remote code execution https://guidovranken.wordpress.com/2017/07/17/11-remote-vulnerabilities-inc-2x-rce-in-freeradius-packet-parsers/ Affected versions are MGA5 (v2), MGA6 and Cauldron (v3). v2, v3: CVE-2017-10978. No remote code execution is possible. A denial of service is possible. v2: CVE-2017-10979. Remote code execution is possible. A denial of service is possible. v2: CVE-2017-10980. No remote code execution is possible. A denial of service is possible. v2: CVE-2017-10981. No remote code execution is possible. A denial of service is possible. v2: CVE-2017-10982. No remote code execution is possible. A denial of service is possible. v2, v3: CVE-2017-10983. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10984. Remote code execution is possible. A denial of service is possible. v3: CVE-2017-10985. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10986. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10987. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10988. No remote code execution is possible. No denial of service is possible. Exploitation does not cross a privilege boundary in a correct and realistic product deployment. Unfortunately I cannot provide a new spec file before mid of next week.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsWhiteboard: (none) => MGA6TOO, MGA5TOOVersion: 6 => CauldronCC: (none) => marja11
Should be fixed upstream in 2.2.10 and 3.0.15: http://freeradius.org/security/fuzzer-2017.html
Summary: 11 remote vulnerabilities (inc. 2x RCE) in FreeRADIUS: CVE-2017-10978 to CVE-2017-10988 => freeradius new security issues CVE-2017-1097[89] and CVE-2017-1098[0-8]
Update to version 3.0.15 submitted for cauldron. Updated packages uploaded for Mageia 5 and 6. Advisory: ======================== Updated freeradius package fixes security vulnerabilities: Fuzz testing of freeradius found multiple vulnerabilites that resulted in either the potential for remote code execution or a possible denial of service (except for CVE-2017-10988 which was later determined to not actually result in any vulnerability). References: https://guidovranken.wordpress.com/2017/07/17/11-remote-vulnerabilities-inc-2x-rce-in-freeradius-packet-parsers/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10978 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10979 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10980 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10982 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10983 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10984 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10985 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10986 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10987 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10988 ======================== Updated packages in core/updates_testing: ======================== freeradius-2.2.10-1.mga5 freeradius-debuginfo-2.2.10-1.mga5 freeradius-krb5-2.2.10-1.mga5 freeradius-ldap-2.2.10-1.mga5 freeradius-mysql-2.2.10-1.mga5 freeradius-postgresql-2.2.10-1.mga5 freeradius-sqlite-2.2.10-1.mga5 freeradius-unixODBC-2.2.10-1.mga5 freeradius-web-2.2.10-1.mga5 freeradius-yubikey-2.2.10-1.mga5 lib64freeradius1-2.2.10-1.mga5 lib64freeradius-devel-2.2.10-1.mga5 from freeradius-2.2.10-1.mga5.src.rpm freeradius-3.0.15-1.mga6 freeradius-debuginfo-3.0.15-1.mga6 freeradius-krb5-3.0.15-1.mga6 freeradius-ldap-3.0.15-1.mga6 freeradius-mysql-3.0.15-1.mga6 freeradius-postgresql-3.0.15-1.mga6 freeradius-sqlite-3.0.15-1.mga6 freeradius-unixODBC-3.0.15-1.mga6 freeradius-yubikey-3.0.15-1.mga6 lib64freeradius1-3.0.15-1.mga6 lib64freeradius-devel-3.0.15-1.mga6 from freeradius-3.0.15-1.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8726
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => mramboVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugs
MGA6-32 on Asus A6000VM MATE No installation issues Followed test procedure as per bug 8726 At CLI # systemctl start radiusd.service # systemctl status radiusd.service ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: enabled) Active: active (running) since vr 2017-07-28 11:37:08 CEST; 14s ago Process: 15796 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Process: 15792 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Main PID: 15801 (radiusd) CGroup: /system.slice/radiusd.service └─15801 /usr/sbin/radiusd -d /etc/raddb # echo 'testing Cleartext-Password := "password"' >> /etc/raddb/users checked string appended to the file # systemctl restart radiusd # systemctl status radiusd.service ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: enabled) Active: active (running) since vr 2017-07-28 11:41:47 CEST; 4s ago Process: 16597 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Process: 16594 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Main PID: 16600 (radiusd) CGroup: /system.slice/radiusd.service └─16600 /usr/sbin/radiusd -d /etc/raddb jul 28 11:41:46 mach6.hviaene.thuis systemd[1]: Stopped FreeRADIUS high performance RADIUS server.. jul 28 11:41:46 mach6.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server.... jul 28 11:41:47 mach6.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server.. # radtest testing password 127.0.0.1 0 testing123 Sent Access-Request Id 45 from 0.0.0.0:37690 to 127.0.0.1:1812 length 77 User-Name = "testing" User-Password = "password" NAS-IP-Address = 192.168.2.6 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" Received Access-Accept Id 45 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 OK for this M6.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA6-32-OK
Updated my server on MGA5-32 to freeradius-2.2.10-1.mga5 - No installation problems - Restart of service was fine # systemctl restart radiusd.service # systemctl status radiusd.service ● radiusd.service - FreeRADIUS high performance RADIUS server. Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled) Active: active (running) since Fr 2017-07-28 23:17:50 CEST; 5s ago Process: 934 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS) Process: 932 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS) Main PID: 938 (radiusd) CGroup: /system.slice/radiusd.service └─938 /usr/sbin/radiusd -d /etc/raddb Jul 28 23:17:50 sfc systemd[1]: Starting FreeRADIUS high performance RADIUS server.... Jul 28 23:17:50 sfc systemd[1]: Started FreeRADIUS high performance RADIUS server.. # Test procedure as per bug 8726 using radtest was also fine. MGA5-32-OK
Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-32-OK
Advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA6-32-OK MGA5-32-OK => advisory MGA5TOO MGA6-32-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0232.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED