FreeRADIUS: heap exploit and NULL pointer dereference vulnerability — GLSA 200311-04

FreeRADIUS is vulnerable to a heap exploit and a NULL pointer dereference vulnerability.

Affected Packages

net-dialup/freeradius on all architectures
Affected versions <= 0.9.2
Unaffected versions >= 0.9.3

Background

FreeRADIUS is a popular open source RADIUS server.

Description

FreeRADIUS versions below 0.9.3 are vulnerable to a heap exploit, however, the attack code must be in the form of a valid RADIUS packet which limits the possible exploits.

Also corrected in the 0.9.3 release is another vulnerability which causes the RADIUS server to de-reference a NULL pointer and crash when an Access-Request packet with a Tunnel-Password is received.

Impact

A remote attacker could craft a RADIUS packet which would cause the RADIUS server to crash, or could possibly overflow the heap resulting in a system compromise.

Workaround

There is no known workaround at this time.

Resolution

Users are encouraged to perform an 'emerge sync' and upgrade the package to the latest available version - 0.9.3 is available in portage and is marked as stable.

 # emerge sync
 # emerge -pv '>=net-dialup/freeradius-0.9.3'
 # emerge '>=net-dialup/freeradius-0.9.3'
 # emerge clean

References

Release Date
November 23, 2003

Latest Revision
November 23, 2003: 01

Severity
normal

Exploitable
remote

Bugzilla entries