Bug 7447 - freeradius new security issue CVE-2012-3547
: freeradius new security issue CVE-2012-3547
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/515819/
: MGA2-32-OK MGA2-64-OK
: Security, validated_update
: 8912
:
  Show dependency treegraph
 
Reported: 2012-09-11 14:29 CEST by David Walser
Modified: 2013-01-31 12:07 CET (History)
6 users (show)

See Also:
Source RPM: freeradius-2.1.12-8.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-09-11 14:29:10 CEST
As was reported on IRC by oden, the version in Cauldron is not affected.
Comment 1 David Walser 2012-09-12 21:50:55 CEST
Upstream advisory:
http://freeradius.org/security.html
Comment 2 David Walser 2012-09-12 21:51:23 CEST
Debian has issued an advisory for this on September 11:
http://www.debian.org/security/2012/dsa-2546
Comment 3 David Walser 2012-10-03 14:46:49 CEST
Mandriva has issued an advisory for this today (October 3):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159
Comment 4 David Walser 2012-10-09 23:51:33 CEST
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated freeradius packages fix security vulnerability:

Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS
2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote
attackers to cause a denial of service (server crash) and possibly
execute arbitrary code via a long not after timestamp in a client
certificate (CVE-2012-3547).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
http://freeradius.org/security.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159
========================

Updated packages in core/updates_testing:
========================
freeradius-2.1.12-8.1.mga2
freeradius-krb5-2.1.12-8.1.mga2
freeradius-ldap-2.1.12-8.1.mga2
freeradius-postgresql-2.1.12-8.1.mga2
freeradius-mysql-2.1.12-8.1.mga2
freeradius-unixODBC-2.1.12-8.1.mga2
freeradius-sqlite-2.1.12-8.1.mga2
libfreeradius1-2.1.12-8.1.mga2
libfreeradius-devel-2.1.12-8.1.mga2
freeradius-web-2.1.12-8.1.mga2

from freeradius-2.1.12-8.1.mga2.src.rpm
Comment 5 claire robinson 2012-10-11 16:46:59 CEST
Some simple tests here in 'Initial Tests'

http://freeradius.org/doc/
Comment 6 claire robinson 2012-10-11 16:49:17 CEST
No PoC's
Comment 7 Shlomi Fish 2012-10-18 21:20:38 CEST
Hi all,

with freeradius-2.1.12-8.1.mga2, I am getting:

root@lap:/etc/raddb$ radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-mageia-linux-gnu, built on Oct  9 2012 at 21:46:09
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/eap.conf
WARNING: No such configuration item certdir
/etc/raddb/eap.conf[284]: Reference "${certdir}/bootstrap" not found
Errors reading /etc/raddb/radiusd.conf
root@lap:/etc/raddb$ rpm -q freeradius
freeradius-2.1.12-8.1.mga2

Something seems wrong and I don't know how to fix it.

Mageia 2, x86-64.
Comment 8 Shlomi Fish 2012-10-18 21:31:00 CEST
OK, it also happens with freeradius-2.1.12-8.mga2 (the one not in updates_testing).
Comment 9 Samuel Verschelde 2012-10-18 21:41:57 CEST
to Olivier Thauvin: is what Shlomi Fish reports normal, or is there a problem in the package? And if there's a problem, do you want to fix it in this update or shall we try to push the security fix first? (with testing steps to pass the above issue please, since we don't know about this package well)
Comment 10 Olivier Thauvin 2012-10-18 22:18:47 CEST
Please update the security fix first, I am very busy and don't know when I'll look at this.
Comment 11 Dave Hodgins 2012-10-24 02:52:23 CEST
In order to get the server to start,
comment out line 284 in /etc/raddb/eap.conf

In /lib/systemd/system/radiusd.service change the chown command to have
radius:radius instead of radiusd.radiusd

After the above changes, the service starts ok. Still looking into how to
test it.
Comment 12 Dave Hodgins 2012-10-24 03:02:00 CEST
http://en.wikipedia.org/wiki/RADIUS has a description of what a radius server is.

http://freeradius.org/doc/ seems to have some basic tests, that should be
enough for testing this update.
Comment 13 Dave Hodgins 2012-10-24 03:22:09 CEST
[dave@i2v ~]$ radtest testing password 127.0.0.1 0 testing123
Sending Access-Request of id 194 to 127.0.0.1 port 1812
        User-Name = "testing"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=194, length=20

The server is responding.  I think that's about all we should
test for this update.

Testing complete on Mageia 2 i586.

I think /lib/systemd/system/radiusd.service will get overwritten
by the update, so the advisory should also state that it may
need to be fixed.
Comment 14 Dave Hodgins 2012-10-26 03:47:14 CEST
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
freeradius-2.1.12-8.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated freeradius packages fix security vulnerability:

Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS
2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote
attackers to cause a denial of service (server crash) and possibly
execute arbitrary code via a long not after timestamp in a client
certificate (CVE-2012-3547).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
http://freeradius.org/security.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:159

Note that there are known errors included in this update, that will
be fixed in a later, bugfix update.  For details, see
https://bugs.mageia.org/show_bug.cgi?id=7447#c11
Comment 15 Thomas Backlund 2012-10-29 00:38:09 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0304

Note You need to log in before you can comment on or make changes to this bug.