11 remote vulnerabilities (inc. 2x RCE) in FreeRADIUS packet parsers

[Guido Vranken <guidovranken () gmail com>]

"FreeRADIUS is the most widely deployed RADIUS server in the world. It
is the basis for multiple commercial offerings. It supplies the AAA
needs of many Fortune-500 companies and Tier 1 ISPs. "
(http://freeradius.org)

FreeRADIUS asked me to fuzz their DHCP and RADIUS packet parsers in
version 3.0.x (stable branch) and version 2.2.x (EOL, but receives
security updates). 11 distinct issues that can be triggered remotely
were found.

The following is excerpted from
freeradius.org/security/fuzzer-2017.html which I advise you to consult
for more detailed descriptions of the issues at hand.

"There are about as many issues disclosed in this page as in the
previous ten years combined."

v2, v3: CVE-2017-10978. No remote code execution is possible. A denial
of service is possible.
v2: CVE-2017-10979. Remote code execution is possible. A denial of
service is possible.
v2: CVE-2017-10980. No remote code execution is possible. A denial of
service is possible.
v2: CVE-2017-10981. No remote code execution is possible. A denial of
service is possible.
v2: CVE-2017-10982. No remote code execution is possible. A denial of
service is possible.
v2, v3: CVE-2017-10983. No remote code execution is possible. A denial
of service is possible.
v3: CVE-2017-10984. Remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10985. No remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10986. No remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10987. No remote code execution is possible. A denial of
service is possible.
v3: CVE-2017-10988. No remote code execution is possible. No denial of
service is possible. Exploitation does not cross a privilege boundary
in a correct and realistic product deployment.