55761 – freeradius: Multiple issues (4.4)

Bug 55761 - freeradius: Multiple issues (4.4)

Summary: freeradius: Multiple issues (4.4)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	UCS 4.4-9-errata
Assignee:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-27 10:33 CET by Quality Assurance
Modified:	2023-03-01 14:42 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:	8.1 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2023-02-27 10:33:09 CET

New Debian freeradius 3.0.17+dfsg-1.1+deb9u1A~4.4.9.202302271026 fixes:
This update addresses the following issues:
3.0.17+dfsg-1.1+deb9u1 (Fri, 24 Feb 2023 14:19:28 +0100)
* Non-maintainer upload by the ELTS team.
* CVE-2022-41859: In freeradius, the EAP-PWD function  compute_password_element() leaks information about the password which  allows an attacker to substantially reduce the size of an offline  dictionary attack.
* CVE-2022-41860: In freeradius, when an EAP-SIM supplicant sends an unknown  SIM option, the server will try to look that option up in the internal  dictionaries. This lookup will fail, but the SIM code will not check for  that failure. Instead, it will dereference a NULL pointer, and cause the  server to crash.
* CVE-2022-41861: A flaw was found in freeradius. A malicious RADIUS client  or home server can send a malformed attribute which can cause the server to  crash.
* CVE-2019-11234: FreeRADIUS does not prevent use of reflection for  authentication spoofing, aka a "Dragonblood" issue, a similar issue to  CVE-2019-9497.
* CVE-2019-11235: FreeRADIUS mishandles the "each participant verifies that  the received scalar is within a range, and that the received group element  is a valid point on the curve being used" protection mechanism, aka a  "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.
* CVE-2019-13456: In FreeRADIUS 3.0 on average 1 in every 2048 EAP-pwd  handshakes fails because the password element cannot be found within 10  iterations of the hunting and pecking loop. This leaks information that an  attacker can use to recover the password of any user. This information  leakage is similar to the "Dragonblood" attack and CVE-2019-9494.
* CVE-2019-17185: In FreeRADIUS 3.0.x the EAP-pwd module used a global  OpenSSL BN_CTX instance to handle all handshakes. This mean multiple  threads use the same BN_CTX instance concurrently, resulting in crashes  when concurrent EAP-pwd handshakes are initiated. This can be abused by an  adversary as a Denial-of-Service (DoS) attack.
3.0.17+dfsg-1.1+deb10u1 (Sat, 27 Aug 2022 22:29:38 +0300)
* Non-maintainer upload.
* CVE-2019-13456: side-channel leak where 1 in 2048 handshakes fail
* CVE-2019-17185: DoS due to multithreaded BN_CTX access
* Add upstream fix for a crash bug.
3.0.17+dfsg-1.1 (Mon, 22 Apr 2019 23:23:36 +0200)
* Cherry-Pick upstream commits to fix CVE-2019-11234 / CVE-2019-11235 /  VU#871675 (Invalid Curve Attack and Reflection Attack on EAP-PWD, leading  to authentication bypass)
3.0.17+dfsg-1 (Mon, 07 Jan 2019 09:38:17 +0100)
* stop using pristine-tar
* New upstream version 3.0.17+dfsg
3.0.16+dfsg-5 (Fri, 14 Dec 2018 09:33:40 +0100)
* Revert "Strip rpath from a few modules."
3.0.16+dfsg-4.1 (Tue, 25 Sep 2018 15:18:31 +0100)
* Non-maintainer upload with permission.
* Split out python2 freeradius module into a standalone package.

* Strip rpath from a few modules.
* Drop upstart system jobs.
* Update git vcs URLs to salsa.
3.0.16+dfsg-3 (Tue, 20 Mar 2018 07:52:46 +0100)
* Change default /etc/freeradius permission from 2751 to 2750
3.0.16+dfsg-2 (Sun, 25 Feb 2018 16:25:54 +0100)
* Remove sites-enabled/* from freeradius-config
3.0.16+dfsg-1 (Mon, 22 Jan 2018 19:05:09 +0100)
* New upstream version 3.0.16+dfsg
3.0.15+dfsg-2 (Tue, 15 Aug 2017 09:50:16 +0200)
* logrotate: don’t accidentally define global options
3.0.15+dfsg-1 (Tue, 18 Jul 2017 20:49:31 +0200)
* New upstream version 3.0.15+dfsg, addressing the following security issues:  CVE-2017-10978 (denial of service) CVE-2017-10984 (remote code execution,  denial of service) CVE-2017-10985 (denial of service) CVE-2017-10983  (denial of service) CVE-2017-10986 (denial of service) CVE-2017-10987  (denial of service)
3.0.14+dfsg-3 (Tue, 18 Jul 2017 09:30:49 +0200)
* Revert "Work around debhelper bug to fix FTBFS" (fixed upstream in  debhelper 10.6.3)
3.0.14+dfsg-2 (Wed, 05 Jul 2017 08:23:11 +0200)
* Work around debhelper bug to fix FTBFS
3.0.14+dfsg-1 (Mon, 03 Jul 2017 09:01:13 +0200)
* New upstream version 3.0.14+dfsg
* Switch to dh_missing’s --fail-missing feature
* Install missing file rlm_sql_freetds.so
* drop debian/patches/openssl-autoconf.diff (merged upstream)
* drop debian/patches/openssl-1.1.diff (merged upstream)
* drop debian/patches/manpage-fixes.diff (merged upstream)
* refresh patches
* add build-dependency on freetds-dev to build rlm_sql_freetds
* update Standards-Version to 4.0.0 (no changes necessary)

Comment 1 Quality Assurance

2023-02-27 12:06:46 CET

--- mirror/ftp/4.3/unmaintained/4.3-0/source/freeradius_3.0.12+dfsg-5+deb9u1A~4.3.0.201711232203.dsc
+++ apt/ucs_4.4-0-errata4.4-9/source/freeradius_3.0.17+dfsg-1.1+deb9u1A~4.4.9.202302271026.dsc
@@ -1,21 +1,122 @@
-3.0.12+dfsg-5+deb9u1A~4.3.0.201711232203 [Mon, 27 Nov 2017 17:10:23 +0100] Univention builddaemon <buildd@univention.de>:
+3.0.17+dfsg-1.1+deb9u1A~4.4.9.202302271026 [Mon, 27 Feb 2023 10:33:15 +0100] Univention builddaemon <buildd@univention.de>:
 
-  * UCS auto build. The following patches have been applied to the original source package
-    050_ignore-invoke-rc.d-errors
-    100_autostart-setting
+  * UCS auto build. No patches were applied to the original source package
 
-3.0.12+dfsg-5+deb9u1 [Thu, 10 Aug 2017 09:05:06 +0200] Michael Stapelberg <stapelberg@debian.org>:
+3.0.17+dfsg-1.1+deb9u1 [Fri, 24 Feb 2023 14:19:28 +0100] Markus Koschany <apo@debian.org>:
 
-  * Apply upstream patches:
-    fr-ad-001.patch
-    fr-gv-201.patch (CVE-2017-10978)
-    fr-gv-206.patch (CVE-2017-10983)
-    fr-gv-301.patch (CVE-2017-10984)
-    fr-gv-302.patch (CVE-2017-10985)
-    fr-gv-303.patch (CVE-2017-10986)
-    fr-gv-304.patch (CVE-2017-10987)
-    fr-gv-305.patch
+  * Non-maintainer upload by the ELTS team.
+  * CVE-2022-41859:
+    In freeradius, the EAP-PWD function compute_password_element() leaks
+    information about the password which allows an attacker to substantially
+    reduce the size of an offline dictionary attack.
+  * CVE-2022-41860:
+    In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the
+    server will try to look that option up in the internal dictionaries. This
+    lookup will fail, but the SIM code will not check for that failure.
+    Instead, it will dereference a NULL pointer, and cause the server to crash.
+  * CVE-2022-41861:
+    A flaw was found in freeradius. A malicious RADIUS client or home server
+    can send a malformed attribute which can cause the server to crash.
+  * CVE-2019-11234:
+    FreeRADIUS does not prevent use of reflection for authentication spoofing,
+    aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.
+  * CVE-2019-11235:
+    FreeRADIUS mishandles the "each participant verifies that the received
+    scalar is within a range, and that the received group element is a valid
+    point on the curve being used" protection mechanism, aka a "Dragonblood"
+    issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.
+  * CVE-2019-13456:
+    In FreeRADIUS 3.0 on average 1 in every 2048 EAP-pwd handshakes fails
+    because the password element cannot be found within 10 iterations of the
+    hunting and pecking loop. This leaks information that an attacker can use
+    to recover the password of any user. This information leakage is similar to
+    the "Dragonblood" attack and CVE-2019-9494.
+  * CVE-2019-17185:
+    In FreeRADIUS 3.0.x the EAP-pwd module used a global OpenSSL
+    BN_CTX instance to handle all handshakes. This mean multiple threads use the
+    same BN_CTX instance concurrently, resulting in crashes when concurrent
+    EAP-pwd handshakes are initiated. This can be abused by an adversary as a
+    Denial-of-Service (DoS) attack.
+
+3.0.17+dfsg-1.1+deb10u1 [Sat, 27 Aug 2022 22:29:38 +0300] Adrian Bunk <bunk@debian.org>:
+
+  * Non-maintainer upload.
+  * CVE-2019-13456: side-channel leak where 1 in 2048 handshakes fail
+  * CVE-2019-17185: DoS due to multithreaded BN_CTX access
+  * Add upstream fix for a crash bug. (Closes: #992036)
+
+3.0.17+dfsg-1.1 [Mon, 22 Apr 2019 23:23:36 +0200] Bernhard Schmidt <berni@debian.org>:
+
+  * Non-maintainer upload.
+  * Cherry-Pick upstream commits to fix CVE-2019-11234 / CVE-2019-11235 /
+    VU#871675 (Invalid Curve Attack and Reflection Attack on EAP-PWD, leading
+    to authentication bypass) (Closes: #926958)
+
+3.0.17+dfsg-1 [Mon, 07 Jan 2019 09:38:17 +0100] Michael Stapelberg <stapelberg@debian.org>:
+
+  * stop using pristine-tar
+  * New upstream version 3.0.17+dfsg
+
+3.0.16+dfsg-5 [Fri, 14 Dec 2018 09:33:40 +0100] Michael Stapelberg <stapelberg@debian.org>:
+
+  * Revert "Strip rpath from a few modules." (Closes: #911180)
+
+3.0.16+dfsg-4.1 [Tue, 25 Sep 2018 15:18:31 +0100] Dimitri John Ledkov <xnox@ubuntu.com>:
+
+  * Non-maintainer upload with permission.
+  * Split out python2 freeradius module into a standalone package.
+    (Closes: #900064)
+  * Strip rpath from a few modules.
+  * Drop upstart system jobs.
+  * Update git vcs URLs to salsa.
+
+3.0.16+dfsg-3 [Tue, 20 Mar 2018 07:52:46 +0100] Michael Stapelberg <stapelberg@debian.org>:
+
+  * Change default /etc/freeradius permission from 2751 to 2750 (Closes: #890933)
+
+3.0.16+dfsg-2 [Sun, 25 Feb 2018 16:25:54 +0100] Michael Stapelberg <stapelberg@debian.org>:
+
+  * Remove sites-enabled/* from freeradius-config (Closes: #889593)
+
+3.0.16+dfsg-1 [Mon, 22 Jan 2018 19:05:09 +0100] Michael Stapelberg <stapelberg@debian.org>:
+
+  * New upstream version 3.0.16+dfsg
+
+3.0.15+dfsg-2 [Tue, 15 Aug 2017 09:50:16 +0200] Michael Stapelberg <stapelberg@debian.org>:
+
+  * logrotate: don’t accidentally define global options (Closes: #872158)
+
+3.0.15+dfsg-1 [Tue, 18 Jul 2017 20:49:31 +0200] Michael Stapelberg <stapelberg@debian.org>:
+
+  * New upstream version 3.0.15+dfsg, addressing the following security issues:
+    CVE-2017-10978 (denial of service)
+    CVE-2017-10984 (remote code execution, denial of service)
+    CVE-2017-10985 (denial of service)
+    CVE-2017-10983 (denial of service)
+    CVE-2017-10986 (denial of service)
+    CVE-2017-10987 (denial of service)
     (Closes: #868765)
+
+3.0.14+dfsg-3 [Tue, 18 Jul 2017 09:30:49 +0200] Michael Stapelberg <stapelberg@debian.org>:
+
+  * Revert "Work around debhelper bug to fix FTBFS (Closes: #866978)"
+    (fixed upstream in debhelper 10.6.3)
+
+3.0.14+dfsg-2 [Wed, 05 Jul 2017 08:23:11 +0200] Michael Stapelberg <stapelberg@debian.org>:
+
+  * Work around debhelper bug to fix FTBFS (Closes: #866978)
+
+3.0.14+dfsg-1 [Mon, 03 Jul 2017 09:01:13 +0200] Michael Stapelberg <stapelberg@debian.org>:
+
+  * New upstream version 3.0.14+dfsg
+  * Switch to dh_missing’s --fail-missing feature
+  * Install missing file rlm_sql_freetds.so
+  * drop debian/patches/openssl-autoconf.diff (merged upstream)
+  * drop debian/patches/openssl-1.1.diff (merged upstream)
+  * drop debian/patches/manpage-fixes.diff (merged upstream)
+  * refresh patches
+  * add build-dependency on freetds-dev to build rlm_sql_freetds
+  * update Standards-Version to 4.0.0 (no changes necessary)
 
 3.0.12+dfsg-5 [Tue, 30 May 2017 17:18:34 +0200] Michael Stapelberg <stapelberg@debian.org>:
 

<http://piuparts.knut.univention.de/4.4-9/#7688570808236737298>

Comment 2 Philipp Hahn

2023-03-01 14:19:46 CET

OK: bug
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
 Cross-Debian-package cleanup issue

[4.4-9] dbc8ef6da8 Bug #55761: freeradius 3.0.17+dfsg-1.1+deb9u1A~4.4.9.202302271026
 doc/errata/staging/freeradius.yaml | 103 +++++++------------------------------
 1 file changed, 19 insertions(+), 84 deletions(-)

[4.4-9] cd5b507f10 Bug #55761: freeradius 3.0.17+dfsg-1.1+deb9u1A~4.4.9.202302271026
 doc/errata/staging/freeradius.yaml | 108 +++++++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)

Comment 3 Philipp Hahn

2023-03-01 14:42:13 CET

<https://errata.software-univention.de/#/?erratum=4.4x1385>