Multiple vulnerabilities in FreeRADIUS
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-13456 CVE-2019-17185 |
| CWE-ID | CWE-200 CWE-399 CWE-62 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
FreeRADIUS Server applications / Directory software, identity management |
| Vendor | FreeRADIUS Server Project |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
Updated: 26.01.2021
Added vulnerability #3.
1) Information disclosure
EUVDB-ID: #VU27344
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13456
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way FreeRadius processes EAP-pwd handshakes. on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFreeRADIUS: 3.0.0 - 3.0.19
External linkshttp://bugzilla.redhat.com/show_bug.cgi?id=1737663
http://freeradius.org/security/
http://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa
http://wpa3.mathyvanhoef.com
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource management error
EUVDB-ID: #VU27346
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-17185
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the EAP-pwd module uses a global OpenSSL BN_CTX instance to handle all
handshakes. This mean multiple threads use the same BN_CTX instance
concurrently, resulting in crashes when concurrent EAP-pwd handshakes
are initiated. A remote attacker can perform multiple login attempts and crash the daemon.
Install updates from vendor's website.
Vulnerable software versionsFreeRADIUS: 3.0.0 - 3.0.19
External linkshttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html
http://freeradius.org/security/
http://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) UNIX Hard Link
EUVDB-ID: #VU50016
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-62 - UNIX Hard Link
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in the way FreeRadius is being started on the system. The systemd service file for freeradius runs "chown -R" on a directory before it starts:
ExecStartPre=-/bin/chown -R radius.radius /run/radiusd
That can be exploited by the "radius" user to gain root privileges. After the service has been started once, the radius user can place a hard link to a root-owned file in /run/radiusd. If the service is later restarted, then the "chown -R" command will give away ownership of that root-owned file to the "radius" user.
As a result, a local user can execute arbitrary code on the system as root.
Install updates from vendor's website.
Vulnerable software versionsFreeRADIUS: 3.0.0 - 3.0.19
External linkshttp://security.gentoo.org/glsa/202101-27
http://bugs.gentoo.org/630910
http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48cd44905411daf0c9914d0df63b387e29e75b10
http://github.com/FreeRADIUS/freeradius-server/commit/26e412b0f775d7219364fec3c204ba6e5877ff1a
http://github.com/FreeRADIUS/freeradius-server/commit/b6f8a6fdd456ebfa889b8867317632bd0ac6b887
http://github.com/FreeRADIUS/freeradius-server/commit/aec8b3e9bbdb67b04fbd3eca8e757e1f114ec613
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
