openEuler update for freeradius

Published: 2022-12-30

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2022-41860 CVE-2022-41861
CWE-ID	CWE-476 CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	openEuler Operating systems & Components / Operating system freeradius-utils Operating systems & Components / Operating system package or component freeradius-sqlite Operating systems & Components / Operating system package or component freeradius-debuginfo Operating systems & Components / Operating system package or component freeradius-debugsource Operating systems & Components / Operating system package or component freeradius-krb5 Operating systems & Components / Operating system package or component freeradius-perl Operating systems & Components / Operating system package or component freeradius-postgresql Operating systems & Components / Operating system package or component python2-freeradius Operating systems & Components / Operating system package or component freeradius-ldap Operating systems & Components / Operating system package or component freeradius-mysql Operating systems & Components / Operating system package or component freeradius-devel Operating systems & Components / Operating system package or component freeradius-help Operating systems & Components / Operating system package or component freeradius Operating systems & Components / Operating system package or component
Vendor	openEuler

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) NULL pointer dereference

EUVDB-ID: #VU70505

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41860

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the EAP-SIM module when parsing an unknown SIM option. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

freeradius-utils: before 3.0.15-25

freeradius-sqlite: before 3.0.15-25

freeradius-debuginfo: before 3.0.15-25

freeradius-debugsource: before 3.0.15-25

freeradius-krb5: before 3.0.15-25

freeradius-perl: before 3.0.15-25

freeradius-postgresql: before 3.0.15-25

python2-freeradius: before 3.0.15-25

freeradius-ldap: before 3.0.15-25

freeradius-mysql: before 3.0.15-25

freeradius-devel: before 3.0.15-25

freeradius-help: before 3.0.15-25

freeradius: before 3.0.15-25

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2165

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU70506

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41861

CWE-ID: CWE-20 - Improper input validation