Vulnerabilities > CVE-2019-10143

047910
CVSS 7.0 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
freeradius
fedoraproject
redhat
nessus

Summary

It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated "there is simply no way for anyone to gain privileges through this alleged issue."

Vulnerable Configurations

Part Description Count
Application
Freeradius
92
OS
Fedoraproject
2
OS
Redhat
1

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1674.NASL
    descriptionAccording to the version of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.(CVE-2019-10143) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-07-02
    plugin id126416
    published2019-07-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126416
    titleEulerOS 2.0 SP5 : freeradius (EulerOS-SA-2019-1674)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126416);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2019-10143"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : freeradius (EulerOS-SA-2019-1674)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the freeradius package installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - It was discovered freeradius does not correctly
        configure logrotate, allowing a local attacker who
        already has control of the radiusd user to escalate his
        privileges to root, by tricking logrotate into writing
        a radiusd-writable file to a directory normally
        inaccessible by the radiusd user.(CVE-2019-10143)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1674
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6ee71598");
      script_set_attribute(attribute:"solution", value:
    "Update the affected freeradius package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freeradius");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["freeradius-3.0.13-8.h2.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeradius");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2065.NASL
    descriptionAccording to the version of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.(CVE-2019-10143) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-24
    plugin id129258
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129258
    titleEulerOS 2.0 SP3 : freeradius (EulerOS-SA-2019-2065)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129258);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2019-10143"
      );
    
      script_name(english:"EulerOS 2.0 SP3 : freeradius (EulerOS-SA-2019-2065)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the freeradius package installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - It was discovered freeradius does not correctly
        configure logrotate, allowing a local attacker who
        already has control of the radiusd user to escalate his
        privileges to root, by tricking logrotate into writing
        a radiusd-writable file to a directory normally
        inaccessible by the radiusd user.(CVE-2019-10143)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2065
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8f1cb023");
      script_set_attribute(attribute:"solution", value:
    "Update the affected freeradius package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:freeradius");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["freeradius-3.0.13-8.h2"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeradius");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3353.NASL
    descriptionAn update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network. Security Fix(es) : * freeradius: privilege escalation due to insecure logrotate configuration (CVE-2019-10143) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.
    last seen2020-05-23
    modified2019-11-06
    plugin id130531
    published2019-11-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130531
    titleRHEL 8 : freeradius:3.0 (RHSA-2019:3353)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1747.NASL
    descriptionAccording to the version of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.(CVE-2019-10143) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-07-22
    plugin id126874
    published2019-07-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126874
    titleEulerOS 2.0 SP2 : freeradius (EulerOS-SA-2019-1747)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1763.NASL
    descriptionAccording to the version of the freeradius package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered freeradius does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user.(CVE-2019-10143) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-07-25
    plugin id127000
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127000
    titleEulerOS 2.0 SP8 : freeradius (EulerOS-SA-2019-1763)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/155361/AIT-SA-20191112-01.txt
idPACKETSTORM:155361
last seen2019-11-17
published2019-11-15
reporterWolfgang Hotwagner
sourcehttps://packetstormsecurity.com/files/155361/FreeRadius-3.0.19-Logrotate-Privilege-Escalation.html
titleFreeRadius 3.0.19 Logrotate Privilege Escalation

Redhat

advisories
bugzilla
id1705340
titleCVE-2019-10143 freeradius: privilege escalation due to insecure logrotate configuration
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 8 is installed
      ovaloval:com.redhat.rhba:tst:20193384074
    • commentModule freeradius:3.0 is enabled
      ovaloval:com.redhat.rhsa:tst:20191142027
    • OR
      • AND
        • commentfreeradius-utils is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353001
        • commentfreeradius-utils is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881004
      • AND
        • commentfreeradius-unixODBC is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353003
        • commentfreeradius-unixODBC is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881006
      • AND
        • commentfreeradius-sqlite is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353005
        • commentfreeradius-sqlite is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20171581018
      • AND
        • commentfreeradius-rest is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353007
        • commentfreeradius-rest is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20191142008
      • AND
        • commentfreeradius-postgresql is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353009
        • commentfreeradius-postgresql is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881008
      • AND
        • commentfreeradius-perl is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353011
        • commentfreeradius-perl is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881002
      • AND
        • commentfreeradius-mysql is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353013
        • commentfreeradius-mysql is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881016
      • AND
        • commentfreeradius-ldap is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353015
        • commentfreeradius-ldap is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881014
      • AND
        • commentfreeradius-krb5 is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353017
        • commentfreeradius-krb5 is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881010
      • AND
        • commentfreeradius-doc is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353019
        • commentfreeradius-doc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20171581022
      • AND
        • commentfreeradius-devel is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353021
        • commentfreeradius-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20171581006
      • AND
        • commentfreeradius-debugsource is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353023
        • commentfreeradius-debugsource is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20191142024
      • AND
        • commentfreeradius is earlier than 0:3.0.17-6.module+el8.1.0+3392+9bd8939b
          ovaloval:com.redhat.rhsa:tst:20193353025
        • commentfreeradius is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20120881018
rhsa
idRHSA-2019:3353
released2019-11-05
severityModerate
titleRHSA-2019:3353: freeradius:3.0 security and bug fix update (Moderate)
rpms
  • freeradius-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-debugsource-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-devel-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-doc-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-krb5-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-krb5-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-ldap-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-ldap-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-mysql-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-mysql-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-perl-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-perl-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-postgresql-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-postgresql-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-rest-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-rest-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-sqlite-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-sqlite-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-unixODBC-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-unixODBC-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-utils-0:3.0.17-6.module+el8.1.0+3392+9bd8939b
  • freeradius-utils-debuginfo-0:3.0.17-6.module+el8.1.0+3392+9bd8939b