Detections
Analytics

MiracleLinux 4 : freeradius-2.2.6-4.AXS4 (AXSA:2015-304:01)

critical Nessus Plugin ID 289369

Synopsis

The remote MiracleLinux host is missing a security update.

Description

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2015-304:01 advisory.

 The FreeRADIUS Server Project is a high performance and highly configurable GPL'd free RADIUS server. The server is similar in some respects to Livingston's 2.0 server. While FreeRADIUS started as a variant of the Cistron RADIUS server, they don't share a lot in common any more. It now has many more features than Cistron or Livingston, and is much more configurable.
 FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol, as defined in RFC 2865 (and others). It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. There are also RADIUS clients available for Web servers, firewalls, Unix logins, and more. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the amount of re-configuration which has to be done when adding or deleting new users.
 Security issues fixed with this release:
 CVE-2014-2015 Fixed bugs:
 * The number of dictionaries have been updated.
 * This update implements several Extensible Authentication Protocol (EAP) improvements.
 * A number of new expansions have been added, including: %{randstr:...}, %{hex:...}, %{sha1:...}, %{base64:...}, %{tobase64:...}, and %{base64tohex:...}.
 * Hexadecimal numbers (0x...) are now supported in %{expr:...} expansions.
 * This update adds operator support to the rlm_python module.
 * The Dynamic Host Configuration Protocol (DHCP) and DHCP relay code have been finalized.
 * This update adds the rlm_cache module to cache arbitrary attributes.
 * The /var/log/radius/radutmp file was configured to rotate at one-month intervals, even though this was unnecessary. With this update, the described problem was fixed.
 * The radiusd service could not write the output file created by the raddebug utility. The raddebug utility now sets appropriate ownership to the output file, allowing radiusd to write the output.
 * After starting raddebug using the raddebug -t 0 command, raddebug exited immediately. A typo in the special case comparison has been fixed, and raddebug now runs for 11.5 days in this situation.
 * MS-CHAP authentication failed when the User-Name and MS-CHAP-User-Name attributes used different encodings, even when the user provided correct credentials. With this update, authentication with correct credentials no longer fails in this situation.
 * Automatically generated default certificates used the SHA-1 algorithm message digest, which is considered insecure. The default certificates now use the more secure SHA-256 algorithm message digest.
 * During the Online Certificate Status Protocol (OCSP) validation, radiusd terminated unexpectedly with a segmentation fault after attempting to access the next update field that was not provided by the OCSP responder. With this update, this problem is fixed.
 * Previously, radiusd failed to work with some of the more recent MikroTIK attributes, because the installed directory.mikrotik file did not include them. With this update, the bug was fixed.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected freeradius package.

See Also

https://tsn.miraclelinux.com/en/node/5649

Plugin Details

Severity: Critical

ID: 289369

File Name: miracle_linux_AXSA-2015-304.nasl

Version: 1.1

Type: local

Published: 1/16/2026

Updated: 1/16/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2014-2015

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:miracle:linux:4, p-cpe:/a:miracle:linux:freeradius

Required KB Items: Host/local_checks_enabled, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/11/2015

Vulnerability Publication Date: 2/17/2014

Reference Information

CVE: CVE-2014-2015