CVE-2007-2028: vulnerable to memory exhaustion via malformed Diameter format attributes inside of an EAP-TTLS tunnel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freeradius (Fedora) |
Fix Released
|
Medium
|
|||
freeradius (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Fix Released
|
Undecided
|
William Grant | ||
Edgy |
Fix Released
|
Undecided
|
William Grant | ||
Feisty |
Fix Released
|
Undecided
|
William Grant |
Bug Description
Binary package hint: freeradius
Security update from http://
"v1.1.5, and earlier - A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit.
We recommend that administrators using EAP-TTLS upgrade immediately.
This bug was found as part of the Coverity Scan project."
CVE References
Changed in freeradius: | |
status: | New → Fix Released |
Changed in freeradius: | |
status: | Unknown → Fix Released |
Changed in freeradius: | |
status: | In Progress → Triaged |
status: | In Progress → Triaged |
status: | In Progress → Triaged |
Changed in freeradius: | |
status: | Triaged → In Progress |
Changed in freeradius: | |
status: | Triaged → In Progress |
status: | Triaged → In Progress |
Changed in freeradius: | |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
Changed in freeradius (Fedora): | |
importance: | Unknown → Medium |
A flaw was found in the way FreeRADIUS parses certain authentication requests. www.freeradius. org/security. html
The upstream description explain it as such:
http://
2007.04.10 v1.1.5, and earlier - A malicous 802.1x supplicant could send
malformed Diameter format attributes inside of an EAP-TTLS tunnel. The
server would reject the authentication request, but would leak one
VALUE_PAIR data structure, of approximately 300 bytes. If an attacker
performed the attack many times (e.g. thousands or more over a period of
minutes to hours), the server could leak megabytes of memory, potentially
leading to an "out of memory" condition, and early process exit.
We recommend that administrators using EAP-TTLS upgrade immediately.
This bug was found as part of the Coverity Scan project.
The EAP-TTLS support is not enabled by default in any FreeRADIUS
installations.
This flaw also affects RHEL 3 and 4.