Vulnerabilities > CVE-2007-2028 - Remote Denial Of Service vulnerability in FreeRadius EAP-TTLS Tunnel Memory Leak

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
freeradius
nessus

Summary

Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-499.NASL
    description - Wed May 9 2007 Thomas Woerner <twoerner at redhat.com> 1.1.3-2.fc6 - fixed CVE-2007-2028: EAP-TTLS denial of service Resolves: rhbz#236248 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id25230
    published2007-05-16
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25230
    titleFedora Core 6 : freeradius-1.1.3-2.fc6 (2007-499)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2007-499.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(25230);
      script_version ("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:26");
    
      script_xref(name:"FEDORA", value:"2007-499");
    
      script_name(english:"Fedora Core 6 : freeradius-1.1.3-2.fc6 (2007-499)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - Wed May 9 2007 Thomas Woerner <twoerner at redhat.com>
        1.1.3-2.fc6
    
        - fixed CVE-2007-2028: EAP-TTLS denial of service
          Resolves: rhbz#236248
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2007-May/001719.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?623336b7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_attribute(attribute:"risk_factor", value:"High");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeradius");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeradius-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeradius-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeradius-postgresql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeradius-unixODBC");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC6", reference:"freeradius-1.1.3-2.fc6")) flag++;
    if (rpm_check(release:"FC6", reference:"freeradius-debuginfo-1.1.3-2.fc6")) flag++;
    if (rpm_check(release:"FC6", reference:"freeradius-mysql-1.1.3-2.fc6")) flag++;
    if (rpm_check(release:"FC6", reference:"freeradius-postgresql-1.1.3-2.fc6")) flag++;
    if (rpm_check(release:"FC6", reference:"freeradius-unixODBC-1.1.3-2.fc6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeradius / freeradius-debuginfo / freeradius-mysql / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_11512.NASL
    descriptionA memory leak in the code for handling EAP-TTLS tunnels could be exploited by attackers to crash freeradius. (CVE-2007-2028)
    last seen2020-06-01
    modified2020-06-02
    plugin id41133
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41133
    titleSuSE9 Security Update : freeradius (YOU Patch Number 11512)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41133);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:29");
    
      script_cve_id("CVE-2007-2028");
    
      script_name(english:"SuSE9 Security Update : freeradius (YOU Patch Number 11512)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A memory leak in the code for handling EAP-TTLS tunnels could be
    exploited by attackers to crash freeradius. (CVE-2007-2028)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2007-2028.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 11512.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"freeradius-1.0.5-2.17")) flag++;
    if (rpm_check(release:"SUSE9", reference:"freeradius-devel-1.0.5-2.17")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_FREERADIUS-3287.NASL
    descriptionA memory leak in the code for handling EAP-TTLS tunnels could be exploited by attackers to crash freeradius. (CVE-2007-2028)
    last seen2020-06-01
    modified2020-06-02
    plugin id29435
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29435
    titleSuSE 10 Security Update : freeradius (ZYPP Patch Number 3287)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0338.NASL
    descriptionFrom Red Hat Security Advisory 2007:0338 : Updated freeradius packages that fix a memory leak flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A memory leak flaw was found in the way FreeRADIUS parses certain authentication requests. A remote attacker could send a specially crafted authentication request which could cause FreeRADIUS to leak a small amount of memory. If enough of these requests are sent, the FreeRADIUS daemon would consume a vast quantity of system memory leading to a possible denial of service. (CVE-2007-2028) Users of FreeRADIUS should update to these erratum packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67489
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67489
    titleOracle Linux 3 / 4 / 5 : freeradius (ELSA-2007-0338)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0338.NASL
    descriptionUpdated freeradius packages that fix a memory leak flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A memory leak flaw was found in the way FreeRADIUS parses certain authentication requests. A remote attacker could send a specially crafted authentication request which could cause FreeRADIUS to leak a small amount of memory. If enough of these requests are sent, the FreeRADIUS daemon would consume a vast quantity of system memory leading to a possible denial of service. (CVE-2007-2028) Users of FreeRADIUS should update to these erratum packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id25213
    published2007-05-11
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25213
    titleRHEL 3 / 4 / 5 : freeradius (RHSA-2007:0338)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20070510_FREERADIUS_ON_SL3_0_X.NASL
    descriptionA memory leak flaw was found in the way FreeRADIUS parses certain authentication requests. A remote attacker could send a specially crafted authentication request which could cause FreeRADIUS to leak a small amount of memory. If enough of these requests are sent, the FreeRADIUS daemon would consume a vast quantity of system memory leading to a possible denial of service. (CVE-2007-2028)
    last seen2020-06-01
    modified2020-06-02
    plugin id60178
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60178
    titleScientific Linux Security Update : freeradius on SL3.0.x , SL4.x, SL5.x
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-085.NASL
    descriptionMemory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures. Updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id25063
    published2007-04-19
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25063
    titleMandrake Linux Security Advisory : freeradius (MDKSA-2007:085)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_FREERADIUS-3286.NASL
    descriptionA memory leak in the code for handling EAP-TTLS tunnels could be exploited by attackers to crash freeradius (CVE-2007-2028).
    last seen2020-06-01
    modified2020-06-02
    plugin id27223
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27223
    titleopenSUSE 10 Security Update : freeradius (freeradius-3286)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200704-14.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200704-14 (FreeRADIUS: Denial of Service) The Coverity Scan project has discovered a memory leak within the handling of certain malformed Diameter format values inside an EAP-TTLS tunnel. Impact : A remote attacker could send a large amount of specially crafted packets to a FreeRADIUS server using EAP-TTLS authentication and exhaust all memory, possibly resulting in a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id25059
    published2007-04-19
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25059
    titleGLSA-200704-14 : FreeRADIUS: Denial of Service
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_C110EDA2E99511DBA9440012F06707F0.NASL
    descriptionThe freeradius development team reports : A malicious 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an
    last seen2020-06-01
    modified2020-06-02
    plugin id25051
    published2007-04-19
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25051
    titleFreeBSD : freeradius -- EAP-TTLS Tunnel Memory Leak Remote DOS Vulnerability (c110eda2-e995-11db-a944-0012f06707f0)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0338.NASL
    descriptionUpdated freeradius packages that fix a memory leak flaw are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A memory leak flaw was found in the way FreeRADIUS parses certain authentication requests. A remote attacker could send a specially crafted authentication request which could cause FreeRADIUS to leak a small amount of memory. If enough of these requests are sent, the FreeRADIUS daemon would consume a vast quantity of system memory leading to a possible denial of service. (CVE-2007-2028) Users of FreeRADIUS should update to these erratum packages, which contain a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id25204
    published2007-05-11
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25204
    titleCentOS 3 / 4 / 5 : freeradius (CESA-2007:0338)

Oval

accepted2013-04-29T04:11:56.175-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionMemory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures.
familyunix
idoval:org.mitre.oval:def:11156
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMemory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures.
version27

Redhat

advisories
bugzilla
id236247
titleCVE-2007-2028 Freeradius EAP-TTLS denial of service
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentfreeradius is earlier than 0:1.0.1-3.RHEL4.5
          ovaloval:com.redhat.rhsa:tst:20070338001
        • commentfreeradius is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271004
      • AND
        • commentfreeradius-mysql is earlier than 0:1.0.1-3.RHEL4.5
          ovaloval:com.redhat.rhsa:tst:20070338003
        • commentfreeradius-mysql is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271002
      • AND
        • commentfreeradius-unixODBC is earlier than 0:1.0.1-3.RHEL4.5
          ovaloval:com.redhat.rhsa:tst:20070338005
        • commentfreeradius-unixODBC is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271006
      • AND
        • commentfreeradius-postgresql is earlier than 0:1.0.1-3.RHEL4.5
          ovaloval:com.redhat.rhsa:tst:20070338007
        • commentfreeradius-postgresql is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20060271008
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentfreeradius-mysql is earlier than 0:1.1.3-1.2.el5
          ovaloval:com.redhat.rhsa:tst:20070338010
        • commentfreeradius-mysql is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070338011
      • AND
        • commentfreeradius-postgresql is earlier than 0:1.1.3-1.2.el5
          ovaloval:com.redhat.rhsa:tst:20070338012
        • commentfreeradius-postgresql is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070338013
      • AND
        • commentfreeradius-unixODBC is earlier than 0:1.1.3-1.2.el5
          ovaloval:com.redhat.rhsa:tst:20070338014
        • commentfreeradius-unixODBC is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070338015
      • AND
        • commentfreeradius is earlier than 0:1.1.3-1.2.el5
          ovaloval:com.redhat.rhsa:tst:20070338016
        • commentfreeradius is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070338017
rhsa
idRHSA-2007:0338
released2008-01-07
severityModerate
titleRHSA-2007:0338: freeradius security update (Moderate)
rpms
  • freeradius-0:1.0.1-2.RHEL3.4
  • freeradius-0:1.0.1-3.RHEL4.5
  • freeradius-0:1.1.3-1.2.el5
  • freeradius-debuginfo-0:1.0.1-2.RHEL3.4
  • freeradius-debuginfo-0:1.0.1-3.RHEL4.5
  • freeradius-debuginfo-0:1.1.3-1.2.el5
  • freeradius-mysql-0:1.0.1-3.RHEL4.5
  • freeradius-mysql-0:1.1.3-1.2.el5
  • freeradius-postgresql-0:1.0.1-3.RHEL4.5
  • freeradius-postgresql-0:1.1.3-1.2.el5
  • freeradius-unixODBC-0:1.0.1-3.RHEL4.5
  • freeradius-unixODBC-0:1.1.3-1.2.el5