Bug 21268 - freeradius new security issues CVE-2017-1097[89] and CVE-2017-1098[0-8]
Summary: freeradius new security issues CVE-2017-1097[89] and CVE-2017-1098[0-8]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://freeradius.org/security/fuzzer...
Whiteboard: advisory MGA5TOO MGA6-32-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-17 21:43 CEST by Stefan Puch
Modified: 2017-07-30 17:59 CEST (History)
4 users (show)

See Also:
Source RPM: freeradius-3.0.14-1.mga6.src.rpm freeradius-2.2.9-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description Stefan Puch 2017-07-17 21:43:42 CEST
Multiple issues found by Guido Vranken allow remote code execution

https://guidovranken.wordpress.com/2017/07/17/11-remote-vulnerabilities-inc-2x-rce-in-freeradius-packet-parsers/

Affected versions are MGA5 (v2), MGA6 and Cauldron (v3).


v2, v3: CVE-2017-10978. No remote code execution is possible. A denial of service is possible.
v2: CVE-2017-10979. Remote code execution is possible. A denial of service is possible.
v2: CVE-2017-10980. No remote code execution is possible. A denial of service is possible.
v2: CVE-2017-10981. No remote code execution is possible. A denial of service is possible.
v2: CVE-2017-10982. No remote code execution is possible. A denial of service is possible.
v2, v3: CVE-2017-10983. No remote code execution is possible. A denial of service is possible.
v3: CVE-2017-10984. Remote code execution is possible. A denial of service is possible.
v3: CVE-2017-10985. No remote code execution is possible. A denial of service is possible.
v3: CVE-2017-10986. No remote code execution is possible. A denial of service is possible.
v3: CVE-2017-10987. No remote code execution is possible. A denial of service is possible.
v3: CVE-2017-10988. No remote code execution is possible. No denial of service is possible. Exploitation does not cross a privilege boundary in a correct and realistic product deployment.


Unfortunately I cannot provide a new spec file before mid of next week.
Comment 1 Marja Van Waes 2017-07-17 23:24:31 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
Whiteboard: (none) => MGA6TOO, MGA5TOO
Version: 6 => Cauldron
CC: (none) => marja11

Comment 2 David Walser 2017-07-18 12:13:13 CEST
Should be fixed upstream in 2.2.10 and 3.0.15:
http://freeradius.org/security/fuzzer-2017.html

Summary: 11 remote vulnerabilities (inc. 2x RCE) in FreeRADIUS: CVE-2017-10978 to CVE-2017-10988 => freeradius new security issues CVE-2017-1097[89] and CVE-2017-1098[0-8]

Comment 3 Mike Rambo 2017-07-26 19:42:44 CEST
Update to version 3.0.15 submitted for cauldron.


Updated packages uploaded for Mageia 5 and 6.

Advisory:
========================

Updated freeradius package fixes security vulnerabilities:

Fuzz testing of freeradius found multiple vulnerabilites that resulted in either the potential for remote code execution or a possible denial of service (except for CVE-2017-10988 which was later determined to not actually result in any vulnerability).

References:
https://guidovranken.wordpress.com/2017/07/17/11-remote-vulnerabilities-inc-2x-rce-in-freeradius-packet-parsers/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10983
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10985
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10988
========================

Updated packages in core/updates_testing:
========================
freeradius-2.2.10-1.mga5
freeradius-debuginfo-2.2.10-1.mga5
freeradius-krb5-2.2.10-1.mga5
freeradius-ldap-2.2.10-1.mga5
freeradius-mysql-2.2.10-1.mga5
freeradius-postgresql-2.2.10-1.mga5
freeradius-sqlite-2.2.10-1.mga5
freeradius-unixODBC-2.2.10-1.mga5
freeradius-web-2.2.10-1.mga5
freeradius-yubikey-2.2.10-1.mga5
lib64freeradius1-2.2.10-1.mga5
lib64freeradius-devel-2.2.10-1.mga5

from freeradius-2.2.10-1.mga5.src.rpm

freeradius-3.0.15-1.mga6
freeradius-debuginfo-3.0.15-1.mga6
freeradius-krb5-3.0.15-1.mga6
freeradius-ldap-3.0.15-1.mga6
freeradius-mysql-3.0.15-1.mga6
freeradius-postgresql-3.0.15-1.mga6
freeradius-sqlite-3.0.15-1.mga6
freeradius-unixODBC-3.0.15-1.mga6
freeradius-yubikey-3.0.15-1.mga6
lib64freeradius1-3.0.15-1.mga6
lib64freeradius-devel-3.0.15-1.mga6

from freeradius-3.0.15-1.mga6.src.rpm

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8726

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => mrambo
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2017-07-28 11:48:46 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues
Followed test procedure as per bug 8726
At CLI
# systemctl start radiusd.service
# systemctl status radiusd.service
● radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: enabled)
   Active: active (running) since vr 2017-07-28 11:37:08 CEST; 14s ago
  Process: 15796 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
  Process: 15792 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
 Main PID: 15801 (radiusd)
   CGroup: /system.slice/radiusd.service
           └─15801 /usr/sbin/radiusd -d /etc/raddb

# echo 'testing Cleartext-Password := "password"' >> /etc/raddb/users
checked string appended to the file

# systemctl restart radiusd
# systemctl status radiusd.service
● radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: enabled)
   Active: active (running) since vr 2017-07-28 11:41:47 CEST; 4s ago
  Process: 16597 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
  Process: 16594 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
 Main PID: 16600 (radiusd)
   CGroup: /system.slice/radiusd.service
           └─16600 /usr/sbin/radiusd -d /etc/raddb

jul 28 11:41:46 mach6.hviaene.thuis systemd[1]: Stopped FreeRADIUS high performance RADIUS server..
jul 28 11:41:46 mach6.hviaene.thuis systemd[1]: Starting FreeRADIUS high performance RADIUS server....
jul 28 11:41:47 mach6.hviaene.thuis systemd[1]: Started FreeRADIUS high performance RADIUS server..

# radtest testing password 127.0.0.1 0 testing123
Sent Access-Request Id 45 from 0.0.0.0:37690 to 127.0.0.1:1812 length 77
	User-Name = "testing"
	User-Password = "password"
	NAS-IP-Address = 192.168.2.6
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "password"
Received Access-Accept Id 45 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

OK for this M6.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OK

Comment 5 Stefan Puch 2017-07-28 23:20:55 CEST
Updated my server on MGA5-32 to freeradius-2.2.10-1.mga5

- No installation problems
- Restart of service was fine
# systemctl restart radiusd.service
# systemctl status radiusd.service
● radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled)
   Active: active (running) since Fr 2017-07-28 23:17:50 CEST; 5s ago
  Process: 934 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
  Process: 932 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
 Main PID: 938 (radiusd)
   CGroup: /system.slice/radiusd.service
           └─938 /usr/sbin/radiusd -d /etc/raddb

Jul 28 23:17:50 sfc systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Jul 28 23:17:50 sfc systemd[1]: Started FreeRADIUS high performance RADIUS server..
#

Test procedure as per bug 8726 using radtest was also fine.

MGA5-32-OK

Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-32-OK

Comment 6 Rémi Verschelde 2017-07-30 14:21:48 CEST
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA6-32-OK MGA5-32-OK => advisory MGA5TOO MGA6-32-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-07-30 17:59:44 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0232.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.