Vulnerabilities > CVE-2006-1354 - Authentication Bypass vulnerability in FreeRADIUS EAP-MSCHAPv2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
freeradius
nessus

Summary

Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_019.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:019 (freeradius). Insufficient input validation was being done in the EAP-MSCHAPv2 state machine of the FreeRADIUS authentication server. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. This is tracked by the Mitre CVE ID CVE-2006-1354.
    last seen2019-10-28
    modified2006-03-29
    plugin id21163
    published2006-03-29
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21163
    titleSUSE-SA:2006:019: freeradius
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:019
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(21163);
     script_version ("1.8");
     
     name["english"] = "SUSE-SA:2006:019: freeradius";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2006:019 (freeradius).
    
    
    Insufficient input validation was being done in the EAP-MSCHAPv2
    state machine of the FreeRADIUS authentication server.
    
    A malicious attacker could manipulate their EAP-MSCHAPv2 client state
    machine to potentially convince the server to bypass authentication
    checks. This bypassing could also result in the server crashing.
    
    This is tracked by the Mitre CVE ID CVE-2006-1354." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/advisories/2006_19_freeradius.html" );
     script_set_attribute(attribute:"risk_factor", value:"High" );
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/29");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the freeradius package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"freeradius-1.0.4-4.2", release:"SUSE10.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"freeradius-1.0.5-2.14", release:"SUSE9.1") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"freeradius-1.0.0-5.8", release:"SUSE9.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"freeradius-1.0.2-5.7", release:"SUSE9.3") )
    {
     security_hole(0);
     exit(0);
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1089.NASL
    descriptionSeveral problems have been discovered in freeradius, a high-performance and highly configurable RADIUS server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-4744 SuSE researchers have discovered several off-by-one errors may allow remote attackers to cause a denial of service and possibly execute arbitrary code. - CVE-2006-1354 Due to insufficient input validation it is possible for a remote attacker to bypass authentication or cause a denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id22631
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22631
    titleDebian DSA-1089-1 : freeradius - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1089. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22631);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2005-4744", "CVE-2006-1354");
      script_bugtraq_id(17171, 17293);
      script_xref(name:"DSA", value:"1089");
    
      script_name(english:"Debian DSA-1089-1 : freeradius - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several problems have been discovered in freeradius, a
    high-performance and highly configurable RADIUS server. The Common
    Vulnerabilities and Exposures project identifies the following
    problems :
    
      - CVE-2005-4744
        SuSE researchers have discovered several off-by-one
        errors may allow remote attackers to cause a denial of
        service and possibly execute arbitrary code.
    
      - CVE-2006-1354
        Due to insufficient input validation it is possible for
        a remote attacker to bypass authentication or cause a
        denial of service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359042"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-4744"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-1354"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1089"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the freeradius package.
    
    The old stable distribution (woody) does not contain this package.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 1.0.2-4sarge1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freeradius");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"freeradius", reference:"1.0.2-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"freeradius-dialupadmin", reference:"1.0.2-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"freeradius-iodbc", reference:"1.0.2-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"freeradius-krb5", reference:"1.0.2-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"freeradius-ldap", reference:"1.0.2-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"freeradius-mysql", reference:"1.0.2-4sarge1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200604-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200604-03 (FreeRADIUS: Authentication bypass in EAP-MSCHAPv2 module) FreeRADIUS suffers from insufficient input validation in the EAP-MSCHAPv2 state machine. Impact : An attacker could cause the server to bypass authentication checks by manipulating the EAP-MSCHAPv2 client state machine. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id21196
    published2006-04-08
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21196
    titleGLSA-200604-03 : FreeRADIUS: Authentication bypass in EAP-MSCHAPv2 module
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_37A5C10FBF5611DAB0E900123FFE8333.NASL
    descriptionFreeradius Security Contact reports : Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing.
    last seen2020-06-01
    modified2020-06-02
    plugin id21412
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21412
    titleFreeBSD : freeradius -- EAP-MSCHAPv2 Authentication Bypass (37a5c10f-bf56-11da-b0e9-00123ffe8333)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1A216DFDF71011DA9156000E0C2E438A.NASL
    descriptionThe freeradius development team reports : A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing
    last seen2020-06-01
    modified2020-06-02
    plugin id21678
    published2006-06-11
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21678
    titleFreeBSD : freeradius -- authentication bypass vulnerability (1a216dfd-f710-11da-9156-000e0c2e438a)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0271.NASL
    descriptionUpdated freeradius packages that fix an authentication weakness are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol. It is possible for a remote attacker to authenticate as a victim by sending a malformed MSCHAP V2 login request to the FreeRADIUS server. (CVE-2006-1354) Please note that FreeRADIUS installations not using the MSCHAP V2 protocol for authentication are not vulnerable to this issue. A bug was also found in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS to crash or execute arbitrary code if they are able to manipulate the SQL database FreeRADIUS is connecting to. (CVE-2005-4744) Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21895
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21895
    titleCentOS 3 / 4 : freeradius (CESA-2006:0271)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-060.NASL
    descriptionAn unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via
    last seen2020-06-01
    modified2020-06-02
    plugin id21149
    published2006-03-27
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21149
    titleMandrake Linux Security Advisory : freeradius (MDKSA-2006:060)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0271.NASL
    descriptionUpdated freeradius packages that fix an authentication weakness are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol. It is possible for a remote attacker to authenticate as a victim by sending a malformed MSCHAP V2 login request to the FreeRADIUS server. (CVE-2006-1354) Please note that FreeRADIUS installations not using the MSCHAP V2 protocol for authentication are not vulnerable to this issue. A bug was also found in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS to crash or execute arbitrary code if they are able to manipulate the SQL database FreeRADIUS is connecting to. (CVE-2005-4744) Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21180
    published2006-04-04
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21180
    titleRHEL 3 / 4 : freeradius (RHSA-2006:0271)

Oval

accepted2013-04-29T04:02:23.290-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionUnspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
familyunix
idoval:org.mitre.oval:def:10156
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleUnspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
version26

Redhat

advisories
bugzilla
id186083
titleCVE-2006-1354 FreeRADIUS authentication bypass
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentfreeradius-mysql is earlier than 0:1.0.1-3.RHEL4.3
          ovaloval:com.redhat.rhsa:tst:20060271001
        • commentfreeradius-mysql is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271002
      • AND
        • commentfreeradius is earlier than 0:1.0.1-3.RHEL4.3
          ovaloval:com.redhat.rhsa:tst:20060271003
        • commentfreeradius is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271004
      • AND
        • commentfreeradius-unixODBC is earlier than 0:1.0.1-3.RHEL4.3
          ovaloval:com.redhat.rhsa:tst:20060271005
        • commentfreeradius-unixODBC is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271006
      • AND
        • commentfreeradius-postgresql is earlier than 0:1.0.1-3.RHEL4.3
          ovaloval:com.redhat.rhsa:tst:20060271007
        • commentfreeradius-postgresql is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271008
rhsa
idRHSA-2006:0271
released2006-04-04
severityImportant
titleRHSA-2006:0271: freeradius security update (Important)
rpms
  • freeradius-0:1.0.1-2.RHEL3.2
  • freeradius-0:1.0.1-3.RHEL4.3
  • freeradius-debuginfo-0:1.0.1-2.RHEL3.2
  • freeradius-debuginfo-0:1.0.1-3.RHEL4.3
  • freeradius-mysql-0:1.0.1-3.RHEL4.3
  • freeradius-postgresql-0:1.0.1-3.RHEL4.3
  • freeradius-unixODBC-0:1.0.1-3.RHEL4.3