Vulnerabilities > CVE-2006-1354 - Authentication Bypass vulnerability in FreeRADIUS EAP-MSCHAPv2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_019.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:019 (freeradius). Insufficient input validation was being done in the EAP-MSCHAPv2 state machine of the FreeRADIUS authentication server. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. This is tracked by the Mitre CVE ID CVE-2006-1354. last seen 2019-10-28 modified 2006-03-29 plugin id 21163 published 2006-03-29 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21163 title SUSE-SA:2006:019: freeradius code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:019 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(21163); script_version ("1.8"); name["english"] = "SUSE-SA:2006:019: freeradius"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:019 (freeradius). Insufficient input validation was being done in the EAP-MSCHAPv2 state machine of the FreeRADIUS authentication server. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. This is tracked by the Mitre CVE ID CVE-2006-1354." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/advisories/2006_19_freeradius.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/29"); script_end_attributes(); summary["english"] = "Check for the version of the freeradius package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"freeradius-1.0.4-4.2", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"freeradius-1.0.5-2.14", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"freeradius-1.0.0-5.8", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"freeradius-1.0.2-5.7", release:"SUSE9.3") ) { security_hole(0); exit(0); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1089.NASL description Several problems have been discovered in freeradius, a high-performance and highly configurable RADIUS server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-4744 SuSE researchers have discovered several off-by-one errors may allow remote attackers to cause a denial of service and possibly execute arbitrary code. - CVE-2006-1354 Due to insufficient input validation it is possible for a remote attacker to bypass authentication or cause a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 22631 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22631 title Debian DSA-1089-1 : freeradius - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1089. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22631); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-4744", "CVE-2006-1354"); script_bugtraq_id(17171, 17293); script_xref(name:"DSA", value:"1089"); script_name(english:"Debian DSA-1089-1 : freeradius - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several problems have been discovered in freeradius, a high-performance and highly configurable RADIUS server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-4744 SuSE researchers have discovered several off-by-one errors may allow remote attackers to cause a denial of service and possibly execute arbitrary code. - CVE-2006-1354 Due to insufficient input validation it is possible for a remote attacker to bypass authentication or cause a denial of service." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359042" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-4744" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1354" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1089" ); script_set_attribute( attribute:"solution", value: "Upgrade the freeradius package. The old stable distribution (woody) does not contain this package. For the stable distribution (sarge) this problem has been fixed in version 1.0.2-4sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freeradius"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"freeradius", reference:"1.0.2-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"freeradius-dialupadmin", reference:"1.0.2-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"freeradius-iodbc", reference:"1.0.2-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"freeradius-krb5", reference:"1.0.2-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"freeradius-ldap", reference:"1.0.2-4sarge1")) flag++; if (deb_check(release:"3.1", prefix:"freeradius-mysql", reference:"1.0.2-4sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200604-03.NASL description The remote host is affected by the vulnerability described in GLSA-200604-03 (FreeRADIUS: Authentication bypass in EAP-MSCHAPv2 module) FreeRADIUS suffers from insufficient input validation in the EAP-MSCHAPv2 state machine. Impact : An attacker could cause the server to bypass authentication checks by manipulating the EAP-MSCHAPv2 client state machine. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 21196 published 2006-04-08 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21196 title GLSA-200604-03 : FreeRADIUS: Authentication bypass in EAP-MSCHAPv2 module NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_37A5C10FBF5611DAB0E900123FFE8333.NASL description Freeradius Security Contact reports : Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. last seen 2020-06-01 modified 2020-06-02 plugin id 21412 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21412 title FreeBSD : freeradius -- EAP-MSCHAPv2 Authentication Bypass (37a5c10f-bf56-11da-b0e9-00123ffe8333) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1A216DFDF71011DA9156000E0C2E438A.NASL description The freeradius development team reports : A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing last seen 2020-06-01 modified 2020-06-02 plugin id 21678 published 2006-06-11 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21678 title FreeBSD : freeradius -- authentication bypass vulnerability (1a216dfd-f710-11da-9156-000e0c2e438a) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0271.NASL description Updated freeradius packages that fix an authentication weakness are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol. It is possible for a remote attacker to authenticate as a victim by sending a malformed MSCHAP V2 login request to the FreeRADIUS server. (CVE-2006-1354) Please note that FreeRADIUS installations not using the MSCHAP V2 protocol for authentication are not vulnerable to this issue. A bug was also found in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS to crash or execute arbitrary code if they are able to manipulate the SQL database FreeRADIUS is connecting to. (CVE-2005-4744) Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21895 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21895 title CentOS 3 / 4 : freeradius (CESA-2006:0271) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-060.NASL description An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via last seen 2020-06-01 modified 2020-06-02 plugin id 21149 published 2006-03-27 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21149 title Mandrake Linux Security Advisory : freeradius (MDKSA-2006:060) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0271.NASL description Updated freeradius packages that fix an authentication weakness are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol. It is possible for a remote attacker to authenticate as a victim by sending a malformed MSCHAP V2 login request to the FreeRADIUS server. (CVE-2006-1354) Please note that FreeRADIUS installations not using the MSCHAP V2 protocol for authentication are not vulnerable to this issue. A bug was also found in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS to crash or execute arbitrary code if they are able to manipulate the SQL database FreeRADIUS is connecting to. (CVE-2005-4744) Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21180 published 2006-04-04 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21180 title RHEL 3 / 4 : freeradius (RHSA-2006:0271)
Oval
accepted | 2013-04-29T04:02:23.290-04:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||
description | Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module. | ||||||||||||||||||||
family | unix | ||||||||||||||||||||
id | oval:org.mitre.oval:def:10156 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
title | Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module. | ||||||||||||||||||||
version | 26 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20060404-01-U.asc
- http://lists.suse.de/archive/suse-security-announce/2006-Mar/0009.html
- http://rhn.redhat.com/errata/RHSA-2006-0271.html
- http://secunia.com/advisories/19300
- http://secunia.com/advisories/19405
- http://secunia.com/advisories/19518
- http://secunia.com/advisories/19527
- http://secunia.com/advisories/19811
- http://secunia.com/advisories/20461
- http://securitytracker.com/id?1015795
- http://www.debian.org/security/2006/dsa-1089
- http://www.freeradius.org/security.html
- http://www.gentoo.org/security/en/glsa/glsa-200604-03.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:060
- http://www.securityfocus.com/bid/17171
- http://www.trustix.org/errata/2006/0020
- http://www.vupen.com/english/advisories/2006/1016
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25352
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10156