Vulnerabilities > CVE-2017-10984 - Out-of-bounds Write vulnerability in Freeradius

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
freeradius
CWE-787
critical
nessus

Summary

An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2389.NASL
    descriptionAn update for freeradius is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. Security Fix(es) : * An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. (CVE-2017-10984) * An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet. (CVE-2017-10978) * An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10983) * A denial of service flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to cause the FreeRADIUS server to enter an infinite loop, consume increasing amounts of memory resources, and ultimately crash by sending a specially crafted request packet. (CVE-2017-10985) * Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987) Red Hat would like to thank the FreeRADIUS project for reporting these issues. Upstream acknowledges Guido Vranken as the original reporter of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102762
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102762
    titleCentOS 7 : freeradius (CESA-2017:2389)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1167.NASL
    descriptionAccording to the versions of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An integer overflow leading to a heap-buffer overflow was found in the libnl library. An attacker could use this flaw to cause an application compiled with libnl to crash or possibly execute arbitrary code in the context of the user running such an application. (CVE-2017-0553) - An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet. (CVE-2017-10978) - A denial of service flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to cause the FreeRADIUS server to enter an infinite loop, consume increasing amounts of memory resources, and ultimately crash by sending a specially crafted request packet. (CVE-2017-10985) - Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987) - An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10983) - Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987) - An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. (CVE-2017-10984) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-09-08
    plugin id103005
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103005
    titleEulerOS 2.0 SP1 : freeradius (EulerOS-SA-2017-1167)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2389.NASL
    descriptionAn update for freeradius is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. Security Fix(es) : * An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. (CVE-2017-10984) * An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet. (CVE-2017-10978) * An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10983) * A denial of service flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to cause the FreeRADIUS server to enter an infinite loop, consume increasing amounts of memory resources, and ultimately crash by sending a specially crafted request packet. (CVE-2017-10985) * Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987) Red Hat would like to thank the FreeRADIUS project for reporting these issues. Upstream acknowledges Guido Vranken as the original reporter of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102119
    published2017-08-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102119
    titleRHEL 7 : freeradius (RHSA-2017:2389)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-972.NASL
    descriptionThis update for freeradius-server fixes the following issues : - update to 3.0.15 (bsc#1049086) - Bind the lifetime of program name and python path to the module - CVE-2017-10978: FR-GV-201: Check input / output length in make_secret() (bsc#1049086) - CVE-2017-10983: FR-GV-206: Fix read overflow when decoding DHCP option 63 (bsc#1049086) - CVE-2017-10984: FR-GV-301: Fix write overflow in data2vp_wimax() (bsc#1049086) - CVE-2017-10985: FR-GV-302: Fix infinite loop and memory exhaustion with
    last seen2020-06-05
    modified2017-08-29
    plugin id102810
    published2017-08-29
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102810
    titleopenSUSE Security Update : freeradius-server (openSUSE-2017-972)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170802_FREERADIUS_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. (CVE-2017-10984) - An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet. (CVE-2017-10978) - An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10983) - A denial of service flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to cause the FreeRADIUS server to enter an infinite loop, consume increasing amounts of memory resources, and ultimately crash by sending a specially crafted request packet. (CVE-2017-10985) - Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987)
    last seen2020-03-18
    modified2017-08-22
    plugin id102661
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102661
    titleScientific Linux Security Update : freeradius on SL7.x x86_64 (20170802)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2389.NASL
    descriptionFrom Red Hat Security Advisory 2017:2389 : An update for freeradius is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. Security Fix(es) : * An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. (CVE-2017-10984) * An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet. (CVE-2017-10978) * An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10983) * A denial of service flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to cause the FreeRADIUS server to enter an infinite loop, consume increasing amounts of memory resources, and ultimately crash by sending a specially crafted request packet. (CVE-2017-10985) * Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987) Red Hat would like to thank the FreeRADIUS project for reporting these issues. Upstream acknowledges Guido Vranken as the original reporter of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102344
    published2017-08-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102344
    titleOracle Linux 7 : freeradius (ELSA-2017-2389)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2243-1.NASL
    descriptionThis update for freeradius fixes the following issues: Security issues fixed : - CVE-2017-10988: Decode
    last seen2020-06-01
    modified2020-06-02
    plugin id102728
    published2017-08-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102728
    titleSUSE SLES12 Security Update : freeradius-server (SUSE-SU-2017:2243-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3930.NASL
    descriptionGuido Vranken discovered that FreeRADIUS, an open source implementation of RADIUS, the IETF protocol for AAA (Authorisation, Authentication, and Accounting), did not properly handle memory when processing packets. This would allow a remote attacker to cause a denial-of-service by application crash, or potentially execute arbitrary code. All those issues are covered by this single DSA, but it
    last seen2020-06-01
    modified2020-06-02
    plugin id102371
    published2017-08-11
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102371
    titleDebian DSA-3930-1 : freeradius - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2202-1.NASL
    descriptionThis update for freeradius-server fixes the following issues : - update to 3.0.15 (bsc#1049086) - Bind the lifetime of program name and python path to the module - CVE-2017-10978: FR-GV-201: Check input / output length in make_secret() (bsc#1049086) - CVE-2017-10983: FR-GV-206: Fix read overflow when decoding DHCP option 63 (bsc#1049086) - CVE-2017-10984: FR-GV-301: Fix write overflow in data2vp_wimax() (bsc#1049086) - CVE-2017-10985: FR-GV-302: Fix infinite loop and memory exhaustion with
    last seen2020-06-01
    modified2020-06-02
    plugin id102579
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102579
    titleSUSE SLES12 Security Update : freeradius-server (SUSE-SU-2017:2202-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3369-1.NASL
    descriptionGuido Vranken discovered that FreeRADIUS incorrectly handled memory when decoding packets. A remote attacker could use this issue to cause FreeRADIUS to crash or hang, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102033
    published2017-07-28
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102033
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : freeradius vulnerabilities (USN-3369-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1192.NASL
    descriptionThis update for freeradius-server fixes the following issues : Fix a number of security issues found via fuzzing by Guido Vranken See http://freeradius.org/security/fuzzer-2017.html for details. (boo#1049086) - CVE-2017-10987 / FR-GV-304: DHCP - Buffer over-read in fr_dhcp_decode_suboptions() - CVE-2017-10986 / FR-GV-303: DHCP - Infinite read in dhcp_attr2vp() - FR-AD-001: Use strncmp() instead of memcmp() for string data - CVE-2017-10983 / FR-GV-206: DHCP - Read overflow when decoding option 63 - CVE-2017-10985 / FR-GV-302: Infinite loop and memory exhaustion with
    last seen2020-06-05
    modified2017-10-26
    plugin id104164
    published2017-10-26
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104164
    titleopenSUSE Security Update : freeradius-server (openSUSE-2017-1192)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1168.NASL
    descriptionAccording to the versions of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An integer overflow leading to a heap-buffer overflow was found in the libnl library. An attacker could use this flaw to cause an application compiled with libnl to crash or possibly execute arbitrary code in the context of the user running such an application. (CVE-2017-0553) - An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet. (CVE-2017-10978) - A denial of service flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to cause the FreeRADIUS server to enter an infinite loop, consume increasing amounts of memory resources, and ultimately crash by sending a specially crafted request packet. (CVE-2017-10985) - Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987) - An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10983) - Multiple out-of-bounds read flaws were found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use these flaws to crash the FreeRADIUS server by sending a specially crafted DHCP request. (CVE-2017-10986, CVE-2017-10987) - An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. (CVE-2017-10984) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-09-08
    plugin id103006
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103006
    titleEulerOS 2.0 SP2 : freeradius (EulerOS-SA-2017-1168)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-24C64C531A.NASL
    description - Upgrade to upstream v3.0.15 release. See upstream ChangeLog for details (in freeradius-doc subpackage). - Resolves: Bug#1471848 CVE-2017-10978 freeradius: Out-of-bounds read/write due to improper output buffer size check in make_secret() - Resolves: Bug#1471860 CVE-2017-10983 freeradius: Out-of-bounds read in fr_dhcp_decode() when decoding option 63 - Resolves: Bug#1471861 CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax() - Resolves: Bug#1471863 CVE-2017-10985 freeradius: Infinite loop and memory exhaustion with
    last seen2020-06-05
    modified2017-07-28
    plugin id102024
    published2017-07-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102024
    titleFedora 25 : freeradius (2017-24c64c531a)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-0D726DBED3.NASL
    description - Upgrade to upstream v3.0.15 release. See upstream ChangeLog for details (in freeradius-doc subpackage). - Resolves: Bug#1471848 CVE-2017-10978 freeradius: Out-of-bounds read/write due to improper output buffer size check in make_secret() - Resolves: Bug#1471860 CVE-2017-10983 freeradius: Out-of-bounds read in fr_dhcp_decode() when decoding option 63 - Resolves: Bug#1471861 CVE-2017-10984 freeradius: Out-of-bounds write in data2vp_wimax() - Resolves: Bug#1471863 CVE-2017-10985 freeradius: Infinite loop and memory exhaustion with
    last seen2020-06-05
    modified2017-07-28
    plugin id102022
    published2017-07-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102022
    titleFedora 26 : freeradius (2017-0d726dbed3)

Redhat

advisories
rhsa
idRHSA-2017:2389
rpms
  • freeradius-0:3.0.13-8.el7_4
  • freeradius-debuginfo-0:3.0.13-8.el7_4
  • freeradius-devel-0:3.0.13-8.el7_4
  • freeradius-doc-0:3.0.13-8.el7_4
  • freeradius-krb5-0:3.0.13-8.el7_4
  • freeradius-ldap-0:3.0.13-8.el7_4
  • freeradius-mysql-0:3.0.13-8.el7_4
  • freeradius-perl-0:3.0.13-8.el7_4
  • freeradius-postgresql-0:3.0.13-8.el7_4
  • freeradius-python-0:3.0.13-8.el7_4
  • freeradius-sqlite-0:3.0.13-8.el7_4
  • freeradius-unixODBC-0:3.0.13-8.el7_4
  • freeradius-utils-0:3.0.13-8.el7_4