FreeBSD : freeradius -- arbitrary code execution for TLS-based authentication (3bbbe3aa-fbeb-11e1-8bd8-0022156e8794)

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

freeRADIUS security team reports :

Overflow in EAP-TLS for 2.1.10, 2.1.11 and 2.1.12.

The issue was found by Timo Warns, and communicated to
[email protected] A sample exploit for the issue was included
in the notification.

The vulnerability was created in commit a368a6f4f4aaf on August 18,
2010. Vulnerable versions include 2.1.10, 2.1.11, and 2.1.12. Also
anyone running the git 'master' branch after August 18, 2010 is
vulnerable.

All sites using TLS-based EAP methods and the above versions are
vulnerable. The only configuration change which can avoid the issue is
to disable EAP-TLS, EAP-TTLS, and PEAP.

An external attacker can use this vulnerability to over-write the
stack frame of the RADIUS server, and cause it to crash. In addition,
more sophisticated attacks may gain additional privileges on the
system running the RADIUS server.

This attack does not require local network access to the RADIUS
server. It can be done by an attacker through a WiFi Access Point, so
long as the Access Point is configured to use 802.1X authentication
with the RADIUS server.

See also :

http://freeradius.org/security.html
http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt
http://www.nessus.org/u?b165c72b

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 62054 ()

Bugtraq ID:

CVE ID: CVE-2012-3547

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now