lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4E2D8D7B.40104@dfn-cert.de>
Date: Mon, 25 Jul 2011 17:36:27 +0200
From: advisory@...-cert.de
To: bugtraq@...urityfocus.com
Subject: [DSB-2011-01] Security Advisory FreeRADIUS 2.1.11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DFN-CERT Services GmbH - Security Advisory
==========================================

* Advisory: DSB-2011-01
* Version: 1.0
* Released on: 2011-07-22
* Updated on: 2011-07-22
* Product: FreeRADIUS 2.1.11 (2011-06-29)


Summary
- -------

FreeRADIUS is a RADIUS server software which supports many
authentication protocols. One of those protocols is EAP-TLS
used within 802.1X. In EAP-TLS X.509 client certificates are
used to authenticate remote users/clients.

FreeRADIUS supports several methods for checking the revocation
status of X.509 certificates. Recently support for revocation
status checking with the Online Certificate Status Protocol (OCSP)
was added to FreeRADIUS.

During a test of the OCSP support in FreeRADIUS, a security
vulnerability has been found in the way the FreeRADIUS code parses
the replies from an OCSP responder.

This allows a remote attacker to use a revoked certificate from an
otherwise trusted certification authority (CA) to successfully
authenticate against the FreeRADIUS server if it is configured
to use EAP-TLS with OCSP certificate validation.

OCSP is not enabled in the default configuration of FreeRADIUS.


Solution
- --------

Until now, there is no official patch for the vulnerability.
Therefore, we strongly advise you to disable OCSP support in the
FreeRADIUS configuration until an official patch by the packet
maintainer is available. Instead, the use of certification revocation
list (CRL) checking which is implemented by FreeRADIUS is recommended.


Details (CVE-2011-2701)
- -----------------------

In the file rlm_eap_tls.c, the ocsp_check() function performs a basic
verification of the value that is returned by the OCSP service
OCSP_basic_verify(), but it does not verify the status of the
certificate itself. Thus, if an attacker has access to a revoked
certificate and its matching private key, the attacker is able to get
authenticated against the FreeRADIUS server.
This allows the attacker to gain access to all network resources that
are accessible due to the FreeRADIUS authentication, e.g. Internet access.

To avoid the issue, the status of the certificate has to be checked with
the OCSP_resp_find_status() function by comparing the returned status
value against 'V_OCSP_CERTSTATUS_GOOD', and by checking the freshness of
the OCSP response with OCSP_check_validity().


References
- ----------

This advisory and further updates of it will be published at:

  <https://www.dfn-cert.de/informationen/Sicherheitsbulletins/dsb-2011-01.html>


New releases, or patches, for the software can be downloaded from the
official FreeRADIUS web site:

  <http://freeradius.org>


Contact
- -------

We created a basic patch for this issue which is not publicly available
because of possible side effects and a missing test environment. However,
we are willing to send our patch to all Linux/BSD vendors as a basis for
their own patches.

Any questions regarding this advisory, or the patch itself,
can be sent to advisory@...-cert.de.

Please note that we will not make our patch publicly available.


History
- -------

2011-07-01	Notified the FreeRADIUS project
2011-07-22	New version with a full description of the issue
		and the CVE identifier


-----BEGIN PGP SIGNATURE-----

iQEVAwUBTi2CGPNu3tfxLoPHAQIpcQf/bB1j7TPuP/252N+jxUlsh4TlV8KkBNP/
GrhMDl+35iq9+wtU4sn8JsuDP0lmTOKm7bEr1Iir9oCBN0bMWPzaWO/21U7Yqns7
IFlKn29aHgLeDWevnkxAUhFjHDEC/i0b7CSHqRcAtP2Fa5Z9TNlTDXIa3HXuOPev
Z4KcKo4LA9v3wFcu/JSLiQcHezC+qJKkIA9wtsiAbcEwyBqBY/Jvqx0ccK859XIC
jwBboxACIU+1hJvUBAv4u5F6jByQyegXPwe6tcnpYJi5Xd7xI3GJKm5r738L8NYW
MyNjrbXOYUDb4MsyWsr4HJSzzfiTjGrgC0xVSNTaoTMGM7I/WurDKQ==
=cnDb
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ