SB2013031304 - Credentials management in FreeRADIUS
Published: March 13, 2013 Updated: August 11, 2020
Security Bulletin ID
SB2013031304
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Credentials management (CVE-ID: CVE-2011-4966)
The vulnerability allows a remote #AU# to read and manipulate data.
modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00029.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00079.html
- http://rhn.redhat.com/errata/RHBA-2012-0881.html
- http://rhn.redhat.com/errata/RHSA-2013-0134.html
- https://github.com/alandekok/freeradius-server/commit/1b1ec5ce75e224bd1755650c18ccdaa6dc53e605