SB2019120323 - Multiple vulnerabilities in FreeRADIUS
Published: December 3, 2019 Updated: January 26, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2019-13456)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way FreeRadius processes EAP-pwd handshakes. on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user.
2) Resource management error (CVE-ID: CVE-2019-17185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the EAP-pwd module uses a global OpenSSL BN_CTX instance to handle all
handshakes. This mean multiple threads use the same BN_CTX instance
concurrently, resulting in crashes when concurrent EAP-pwd handshakes
are initiated. A remote attacker can perform multiple login attempts and crash the daemon.
3) UNIX Hard Link (CVE-ID: N/A)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in the way FreeRadius is being started on the system. The systemd service file for freeradius runs "chown -R" on a directory before it starts:
ExecStartPre=-/bin/chown -R radius.radius /run/radiusd
That can be exploited by the "radius" user to gain root privileges. After the service has been started once, the radius user can place a hard link to a root-owned file in /run/radiusd. If the service is later restarted, then the "chown -R" command will give away ownership of that root-owned file to the "radius" user.
As a result, a local user can execute arbitrary code on the system as root.
Remediation
Install update from vendor's website.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1737663
- https://freeradius.org/security/
- https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa
- https://wpa3.mathyvanhoef.com
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html
- https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_0_20
- https://security.gentoo.org/glsa/202101-27
- https://bugs.gentoo.org/630910
- https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48cd44905411daf0c9914d0df63b387e29e75b10
- https://github.com/FreeRADIUS/freeradius-server/commit/26e412b0f775d7219364fec3c204ba6e5877ff1a
- https://github.com/FreeRADIUS/freeradius-server/commit/b6f8a6fdd456ebfa889b8867317632bd0ac6b887
- https://github.com/FreeRADIUS/freeradius-server/commit/aec8b3e9bbdb67b04fbd3eca8e757e1f114ec613