__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN freeradius Security Update [RHSA-2006:0271-12] April 13, 2006 18:00 GMT Number Q-175 [REVISED 05 June 2006] ______________________________________________________________________________ PROBLEM: A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol and also in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. PLATFORM: Red Hat Enterprise Linux AS (v. 3 and v. 4) Red Hat Enterprise Linux ES (v. 3 and v. 4) DAMAGE: It is possible for a remote attacker to authenticate as a victim, or an attacker could cause FreeRADIUS to crash or execute arbitrary code. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is LOW - It is possible for a remote attacker to ASSESSMENT: authenticate as a victim, or an attacker could cause FreeRADIUS to crash or execute arbitrary code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-175.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2006-0271.html ADDITIONAL LINKS: Debian Security Advisory 1089-1 http://www.debian.org/security/2006/dsa-1089 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-4744, CVE-2006-1354 ______________________________________________________________________________ REVISION HISTORY: 06/05/2006 - added a link to Debian Security Advisory 1089-1 [***** Start RHSA-2006:0271-12 *****] Important: freeradius security update Advisory: RHSA-2006:0271-12 Type: Security Advisory Issued on: 2006-04-04 Last updated on: 2006-04-13 Affected Products: Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) CVEs (cve.mitre.org): CVE-2005-4744 CVE-2006-1354 Details Updated freeradius packages that fix an authentication weakness are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. FreeRADIUS is a high-performance and highly configurable free RADIUS server designed to allow centralized authentication and authorization for a network. A bug was found in the way FreeRADIUS authenticates users via the MSCHAP V2 protocol. It is possible for a remote attacker to authenticate as a victim by sending a malformed MSCHAP V2 login request to the FreeRADIUS server. (CVE-2006-1354) Please note that FreeRADIUS installations not using the MSCHAP V2 protocol for authentication are not vulnerable to this issue. A bug was also found in the way FreeRADIUS logs SQL errors from the sql_unixodbc module. It may be possible for an attacker to cause FreeRADIUS to crash or execute arbitrary code if they are able to manipulate the SQL database FreeRADIUS is connecting to. (CVE-2005-4744) Users of FreeRADIUS should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: freeradius-1.0.1-2.RHEL3.2.src.rpm bfc9e019ba3dd3ee67a4156ff37f467c IA-32: freeradius-1.0.1-2.RHEL3.2.i386.rpm b4969ec213ec03c6fc693a1d84f2029c IA-64: freeradius-1.0.1-2.RHEL3.2.ia64.rpm 734b8d8314d7bcd9fa122053bf1d495d PPC: freeradius-1.0.1-2.RHEL3.2.ppc.rpm 21188abdd2a98f81d806a29a77fea928 s390: freeradius-1.0.1-2.RHEL3.2.s390.rpm 8429b0806d6e2baadca6ac94312dad8b s390x: freeradius-1.0.1-2.RHEL3.2.s390x.rpm 0ac7a21d7bedba7d6b1cf63861a02e31 x86_64: freeradius-1.0.1-2.RHEL3.2.x86_64.rpm 7eaf8db1f720773cf28479dd6f57fdb0 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: freeradius-1.0.1-3.RHEL4.3.src.rpm c6917a0d98ac04e34db4294217a389fb IA-32: freeradius-1.0.1-3.RHEL4.3.i386.rpm 1121b8e53033f5580889eaab5fbd822e freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm 6b1ed7b9c10178db478963f9b4b5986a freeradius-postgresql-1.0.1-3.RHEL4.3.i386.rpm 791f052034f7a13f2b07f384e83795f2 freeradius-unixODBC-1.0.1-3.RHEL4.3.i386.rpm 046fb51db100364dbe3dc856e7dca02c IA-64: freeradius-1.0.1-3.RHEL4.3.ia64.rpm 15db5d25efd4ecf030615ccf2552b04d freeradius-mysql-1.0.1-3.RHEL4.3.ia64.rpm 9fd7df598cffcfdc21012296d3e5eca9 freeradius-postgresql-1.0.1-3.RHEL4.3.ia64.rpm 6e813082c69c2c494daa435767e54dbd freeradius-unixODBC-1.0.1-3.RHEL4.3.ia64.rpm 8d1bcdc20817ac37be901cd2c7fe7088 PPC: freeradius-1.0.1-3.RHEL4.3.ppc.rpm 0a3d9b8f2d09b1b13259ea99acff91b7 freeradius-mysql-1.0.1-3.RHEL4.3.ppc.rpm e4a7578d745c69f656d8d840307c139f freeradius-postgresql-1.0.1-3.RHEL4.3.ppc.rpm e45ba7af692792d8bc52db7e0f6e0deb freeradius-unixODBC-1.0.1-3.RHEL4.3.ppc.rpm 9d693f9e452fd06d73aed9a1d5740ddf s390: freeradius-1.0.1-3.RHEL4.3.s390.rpm cc607bb4dfb35128ed7bef2a74e40aa8 freeradius-mysql-1.0.1-3.RHEL4.3.s390.rpm 42b226f640a1a4224ef0c27bc7bf5527 freeradius-postgresql-1.0.1-3.RHEL4.3.s390.rpm ebefbb200863e9bfeb775c7b104934cb freeradius-unixODBC-1.0.1-3.RHEL4.3.s390.rpm 4b43bb86ba1d6dc6953bb6dc3d67a147 s390x: freeradius-1.0.1-3.RHEL4.3.s390x.rpm 74d462262538062aad16e9d8cea6eb18 freeradius-mysql-1.0.1-3.RHEL4.3.s390x.rpm a722d74a53facc3b431ec2ed55481b61 freeradius-postgresql-1.0.1-3.RHEL4.3.s390x.rpm 53088f0fbfd0e9b9c1ccd7db0bcff0ad freeradius-unixODBC-1.0.1-3.RHEL4.3.s390x.rpm 8b6856b542505d85320bf176beb623c9 x86_64: freeradius-1.0.1-3.RHEL4.3.x86_64.rpm d04afcde9543c934bbb44b3a8cf1ad53 freeradius-mysql-1.0.1-3.RHEL4.3.x86_64.rpm 9734492926441eddcd2740f1d19b537c freeradius-postgresql-1.0.1-3.RHEL4.3.x86_64.rpm ab8051bbcb05c66af19e5a89a2349deb freeradius-unixODBC-1.0.1-3.RHEL4.3.x86_64.rpm 400250cfddddc9e095d581e2ae87b789 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: freeradius-1.0.1-2.RHEL3.2.src.rpm bfc9e019ba3dd3ee67a4156ff37f467c IA-32: freeradius-1.0.1-2.RHEL3.2.i386.rpm b4969ec213ec03c6fc693a1d84f2029c IA-64: freeradius-1.0.1-2.RHEL3.2.ia64.rpm 734b8d8314d7bcd9fa122053bf1d495d x86_64: freeradius-1.0.1-2.RHEL3.2.x86_64.rpm 7eaf8db1f720773cf28479dd6f57fdb0 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: freeradius-1.0.1-3.RHEL4.3.src.rpm c6917a0d98ac04e34db4294217a389fb IA-32: freeradius-1.0.1-3.RHEL4.3.i386.rpm 1121b8e53033f5580889eaab5fbd822e freeradius-mysql-1.0.1-3.RHEL4.3.i386.rpm 6b1ed7b9c10178db478963f9b4b5986a freeradius-postgresql-1.0.1-3.RHEL4.3.i386.rpm 791f052034f7a13f2b07f384e83795f2 freeradius-unixODBC-1.0.1-3.RHEL4.3.i386.rpm 046fb51db100364dbe3dc856e7dca02c IA-64: freeradius-1.0.1-3.RHEL4.3.ia64.rpm 15db5d25efd4ecf030615ccf2552b04d freeradius-mysql-1.0.1-3.RHEL4.3.ia64.rpm 9fd7df598cffcfdc21012296d3e5eca9 freeradius-postgresql-1.0.1-3.RHEL4.3.ia64.rpm 6e813082c69c2c494daa435767e54dbd freeradius-unixODBC-1.0.1-3.RHEL4.3.ia64.rpm 8d1bcdc20817ac37be901cd2c7fe7088 x86_64: freeradius-1.0.1-3.RHEL4.3.x86_64.rpm d04afcde9543c934bbb44b3a8cf1ad53 freeradius-mysql-1.0.1-3.RHEL4.3.x86_64.rpm 9734492926441eddcd2740f1d19b537c freeradius-postgresql-1.0.1-3.RHEL4.3.x86_64.rpm ab8051bbcb05c66af19e5a89a2349deb freeradius-unixODBC-1.0.1-3.RHEL4.3.x86_64.rpm 400250cfddddc9e095d581e2ae87b789 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 167676 - CVE-2005-4744 Multiple freeradius security issues 186083 - CVE-2006-1354 FreeRADIUS authentication bypass References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1354 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End RHSA-2006:0271-12 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-165: Cisco Networking and Controller Vulnerabilities Q-166: RealNetworks products are vulnerable to buffer overflow Q-167: Cisco 11500 Switch Vulnerability Q-168: Local Unauthorized Access Q-169: Application Patches Q-170: Cumulative Security Update for Internet Explorer Q-171: Vulnerability in the Microsoft Data Access Components (MDAC) Function Q-172: Vulnerability in Windows Explorer Q-173: Microsoft Security Bulletin MS06-016 Q-174: Vulnerability in Microsoft FrontPage Server Extensions