Vulnerabilities > CVE-2011-4966 - Credentials Management vulnerability in Freeradius
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2122-1.NASL description It was discovered that FreeRADIUS incorrectly handled unix authentication. A remote user could successfully authenticate with an expired password. (CVE-2011-4966) Pierre Carrier discovered that FreeRADIUS incorrectly handled rlm_pap hash processing. An authenticated user could use this issue to cause FreeRADIUS to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2014-2015). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2014-02-27 plugin id 72719 published 2014-02-27 reporter Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72719 title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : freeradius vulnerabilities (USN-2122-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-038.NASL description Updated freeradius packages fixes security vulnerabilities : It was found that the unix module ignored the password expiration setting in /etc/shadow. If FreeRADIUS was configured to use this module for user authentication, this flaw could allow users with an expired password to successfully authenticate, even though their access should have been denied (CVE-2011-4966). Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long not after timestamp in a client certificate (CVE-2012-3547). last seen 2020-06-01 modified 2020-06-02 plugin id 66052 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66052 title Mandriva Linux Security Advisory : freeradius (MDVSA-2013:038) NASL family SuSE Local Security Checks NASL id SUSE_11_FREERADIUS-SERVER-130122.NASL description This update for freeradius-server provides the following fixes and improvements : - Increase the vendor IDs limit from 32767 to 65535. (bnc#791666) - Fix issues with escaping special characters in password. (bnc#797515) - Respect expired passwords and accounts when using the unix module. (bnc#797313, CVE-2011-4966) last seen 2020-06-05 modified 2013-02-28 plugin id 64925 published 2013-02-28 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64925 title SuSE 11.2 Security Update : freeradius (SAT Patch Number 7255) NASL family Scientific Linux Local Security Checks NASL id SL_20130108_FREERADIUS2_ON_SL5_X.NASL description It was found that the last seen 2020-03-18 modified 2013-01-17 plugin id 63593 published 2013-01-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63593 title Scientific Linux Security Update : freeradius2 on SL5.x i386/x86_64 (20130108) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0134.NASL description From Red Hat Security Advisory 2013:0134 : Updated freeradius2 packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. FreeRADIUS is an open source Remote Authentication Dial-In User Service (RADIUS) server which allows RADIUS clients to perform authentication against the RADIUS server. The RADIUS server may optionally perform accounting of its operations using the RADIUS protocol. It was found that the last seen 2020-06-01 modified 2020-06-02 plugin id 68705 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68705 title Oracle Linux 5 : freeradius2 (ELSA-2013-0134) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0134.NASL description Updated freeradius2 packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. FreeRADIUS is an open source Remote Authentication Dial-In User Service (RADIUS) server which allows RADIUS clients to perform authentication against the RADIUS server. The RADIUS server may optionally perform accounting of its operations using the RADIUS protocol. It was found that the last seen 2020-06-01 modified 2020-06-02 plugin id 63579 published 2013-01-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63579 title CentOS 5 : freeradius2 (CESA-2013:0134) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-37.NASL description - fix for CVE-2011-4966 (bnc#797313) (freeradius-server-CVE-2011-4966.patch) - fixed a bug in the logrotate script (bnc#797292) last seen 2020-06-05 modified 2014-06-13 plugin id 74983 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74983 title openSUSE Security Update : freeradius-server (openSUSE-SU-2013:0137-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0134.NASL description Updated freeradius2 packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. FreeRADIUS is an open source Remote Authentication Dial-In User Service (RADIUS) server which allows RADIUS clients to perform authentication against the RADIUS server. The RADIUS server may optionally perform accounting of its operations using the RADIUS protocol. It was found that the last seen 2020-06-01 modified 2020-06-02 plugin id 63415 published 2013-01-08 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63415 title RHEL 5 : freeradius2 (RHSA-2013:0134)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00029.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00079.html
- http://rhn.redhat.com/errata/RHBA-2012-0881.html
- http://rhn.redhat.com/errata/RHSA-2013-0134.html
- https://github.com/alandekok/freeradius-server/commit/1b1ec5ce75e224bd1755650c18ccdaa6dc53e605