Headline
CVE-2022-41860: it's probably wrong to be completely retarded. Let's fix that. · FreeRADIUS/freeradius-server@f1cdbb3
In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r, newvp->vp_length = 1; fr_pair_add(&(r->vps), newvp);
/* * EAP-SIM has a 1 octet of subtype, and 2 octets * reserved. */ attr += 3; attrlen -= 3;
/* now, loop processing each attribute that we find */ while(attrlen > 0) { /* * Loop over each attribute. The format is: * * 1 octet of type * 1 octet of length (value 1…255) * ((4 * length) - 2) octets of data. */ while (attrlen > 0) { uint8_t *p;
if(attrlen < 2) { if (attrlen < 2) { fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen); return 0; }
if (!attr[1]) { fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", eapsim_attribute, es_attribute_count); return 0; }
eapsim_attribute = attr[0]; eapsim_len = attr[1] * 4;
/* * The length includes the 2-byte header. */ if (eapsim_len > attrlen) { fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)", eapsim_attribute, es_attribute_count, eapsim_len, attrlen); return 0; }
if(eapsim_len > MAX_STRING_LEN) { eapsim_len = MAX_STRING_LEN; } if (eapsim_len < 2) { fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, es_attribute_count); return 0; } newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0); if (!newvp) { /* * RFC 4186 Section 8.1 says 0…127 are * "non-skippable". If one such * attribute is found and we don’t * understand it, the server has to send: * * EAP-Request/SIM/Notification packet with an * (AT_NOTIFICATION code, which implies general failure (“General * failure after authentication” (0), or “General failure” (16384), * depending on the phase of the exchange), which terminates the * authentication exchange. */ if (eapsim_attribute <= 127) { fr_strerror_printf("Unknown mandatory attribute %d, failing", eapsim_attribute); return 0; }
newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0); newvp->vp_length = eapsim_len-2; newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); memcpy(p, &attr[2], eapsim_len-2); fr_pair_add(&(r->vps), newvp); newvp = NULL; } else { /* * It’s known, ccount for header, and * copy the value over. */ newvp->vp_length = eapsim_len - 2;
newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); memcpy(p, &attr[2], newvp->vp_length); fr_pair_add(&(r->vps), newvp); }
/* advance pointers, decrement length */ attr += eapsim_len;
Related news
Red Hat Security Advisory 2023-2870-01 - FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service server, designed to allow centralized authentication and authorization for a network. Issues addressed include an information leakage vulnerability.
An update for the freeradius:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41859: In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack. * CVE-2022-41860: In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the ...
An update for freeradius is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41859: In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack. * CVE-2022-41860: In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictio...
Ubuntu Security Notice 5785-1 - It was discovered that FreeRADIUS incorrectly handled multiple EAP-pwd handshakes. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. Shane Guan discovered that FreeRADIUS incorrectly handled memory when checking unknown SIM option sent by EAP-SIM supplicant. An attacker could possibly use this issue to cause a denial of service on the server. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.