oss-sec mailing list archives
11 remote vulnerabilities (inc. 2x RCE) in FreeRADIUS packet parsers
From: Guido Vranken <guidovranken () gmail com>
Date: Mon, 17 Jul 2017 15:09:53 +0200
"FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. " (http://freeradius.org) FreeRADIUS asked me to fuzz their DHCP and RADIUS packet parsers in version 3.0.x (stable branch) and version 2.2.x (EOL, but receives security updates). 11 distinct issues that can be triggered remotely were found. The following is excerpted from freeradius.org/security/fuzzer-2017.html which I advise you to consult for more detailed descriptions of the issues at hand. "There are about as many issues disclosed in this page as in the previous ten years combined." v2, v3: CVE-2017-10978. No remote code execution is possible. A denial of service is possible. v2: CVE-2017-10979. Remote code execution is possible. A denial of service is possible. v2: CVE-2017-10980. No remote code execution is possible. A denial of service is possible. v2: CVE-2017-10981. No remote code execution is possible. A denial of service is possible. v2: CVE-2017-10982. No remote code execution is possible. A denial of service is possible. v2, v3: CVE-2017-10983. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10984. Remote code execution is possible. A denial of service is possible. v3: CVE-2017-10985. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10986. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10987. No remote code execution is possible. A denial of service is possible. v3: CVE-2017-10988. No remote code execution is possible. No denial of service is possible. Exploitation does not cross a privilege boundary in a correct and realistic product deployment.
Current thread:
- 11 remote vulnerabilities (inc. 2x RCE) in FreeRADIUS packet parsers Guido Vranken (Jul 17)