#VU7555 Memory leak in FreeRADIUS
Vulnerability identifier: #VU7555
Vulnerability risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-401
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
FreeRADIUS
Server applications /
Directory software, identity management
Vendor: FreeRADIUS Server Project
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak in fr_dhcp_decode() function when processing DHCP packets. A remote attacker on local network can send specially crafted DHCP packets with malicious options to vulnerable system and trigger denial of service attack.
Mitigation
Update to version 2.2.10.
Vulnerable software versions
FreeRADIUS: 2.2.0 - 2.2.9
External links
http://freeradius.org/security/fuzzer-2017.html#FR-GV-204
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
