#VU32360 Improper Certificate Validation in FreeRADIUS - CVE-2015-4680


| Updated: 2020-07-28

Vulnerability identifier: #VU32360

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-4680

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FreeRADIUS
Server applications / Directory software, identity management

Vendor: FreeRADIUS Server Project

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly check revocation of intermediate CA certificates.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FreeRADIUS: 2.2.0 - 2.2.7

External links
https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00010.html
https://packetstormsecurity.com/files/132415/FreeRADIUS-Insufficient-CRL-Application.html
https://www.ocert.org/advisories/ocert-2015-008.html
https://www.securityfocus.com/archive/1/535810/100/0/threaded
https://www.securityfocus.com/bid/75327
https://www.securitytracker.com/id/1032690
https://bugzilla.redhat.com/show_bug.cgi?id=1234975

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Improper Certificate Validation in FreeRADIUS
SUSE Linux update for freeradius-server
Improper Certificate Validation in freeradius (Alpine package)