Vulnerabilities > CVE-2005-4746 - RLM_SQLCounter Buffer Overflow vulnerability in Freeradius 1.0.3/1.0.4

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
freeradius
nessus

Summary

Multiple buffer overflows in FreeRADIUS 1.0.3 and 1.0.4 allow remote attackers to cause denial of service (crash) via (1) the rlm_sqlcounter module or (2) unknown vectors "while expanding %t".

Vulnerable Configurations

Part Description Count
Application
Freeradius
2

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-1145.NASL
descriptionSeveral remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-4745 A SQL injection vulnerability has been discovered in the rlm_sqlcounter module. - CVE-2005-4746 Multiple buffer overflows have been discovered, allowing denial of service.
last seen2020-06-01
modified2020-06-02
plugin id22687
published2006-10-14
reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/22687
titleDebian DSA-1145-1 : freeradius - several vulnerabilities
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1145. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(22687);
  script_version("1.15");
  script_cvs_date("Date: 2019/08/02 13:32:19");

  script_cve_id("CVE-2005-4745", "CVE-2005-4746");
  script_xref(name:"DSA", value:"1145");

  script_name(english:"Debian DSA-1145-1 : freeradius - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or
denial of service. The Common Vulnerabilities and Exposures project
identifies the following problems :

  - CVE-2005-4745
    A SQL injection vulnerability has been discovered in the
    rlm_sqlcounter module.

  - CVE-2005-4746
    Multiple buffer overflows have been discovered, allowing
    denial of service."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2005-4745"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2005-4746"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2006/dsa-1145"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the freeradius packages.

For the stable distribution (sarge) these problems have been fixed in
version 1.0.2-4sarge3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freeradius");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/08/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.1", prefix:"freeradius", reference:"1.0.2-4sarge3")) flag++;
if (deb_check(release:"3.1", prefix:"freeradius-dialupadmin", reference:"1.0.2-4sarge3")) flag++;
if (deb_check(release:"3.1", prefix:"freeradius-iodbc", reference:"1.0.2-4sarge3")) flag++;
if (deb_check(release:"3.1", prefix:"freeradius-krb5", reference:"1.0.2-4sarge3")) flag++;
if (deb_check(release:"3.1", prefix:"freeradius-ldap", reference:"1.0.2-4sarge3")) flag++;
if (deb_check(release:"3.1", prefix:"freeradius-mysql", reference:"1.0.2-4sarge3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

Statements

contributorMark J Cox
lastmodified2006-08-30
organizationRed Hat
statementNot vulnerable. This issue did not affect the FreeRADIUS packages as distributed with Red Hat Enterprise Linux 2.1, 3, or 4.