SB2019082069 - Permissions, Privileges, and Access Controls in freeradius (Alpine package)
Published: August 20, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-10143)
The vulnerability allows a local authenticated user to execute arbitrary code.
** DISPUTED ** It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated "there is simply no way for anyone to gain privileges through this alleged issue."
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=845ceeb84a5356dfef381071a5fcbffff147dd8e
- https://git.alpinelinux.org/aports/commit/?id=9efccd10b731a53429a96bea0144057e3753ddef
- https://git.alpinelinux.org/aports/commit/?id=f15e593c31c3b529bf34eb9eae1e428258c6f030
- https://git.alpinelinux.org/aports/commit/?id=10fc00b3dbc9a5c90dd9c54ae5c6f94975e6b63b
- https://git.alpinelinux.org/aports/commit/?id=39ad148a1b03ffa56801c3ded59b34d6ac0e4dd1