freeradius-3.0.13-15.el7
エラータID: AXSA:2020-624:01
リリース日:
2020/10/07 Wednesday - 23:49
題名:
freeradius-3.0.13-15.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
- freeradius は logrotate を適切に設定しない場合、すでに
radiusd ユーザーの制御権を持つローカルの攻撃者が、
logrotate を騙して通常 radiusd ユーザーがアクセスできない
ディレクトリにradiusd-writable ファイルを書き込むことで、
権限を root に昇格させてしまう脆弱性があります。(CVE-2019-10143)
- freeradius は10回の Hunting and Pecking ループで
パスワード要素を見つけられず、平均して2048回に1回
EAP-pwd のハンドシェイクに失敗する問題があり、攻撃者に
任意のユーザーのパスワードを復元する為の情報を漏洩して
しまう脆弱性があります。この情報漏洩は "Dragonblood" 攻撃
や CVE-2019-9494 に類似しています。(CVE-2019-13456)
- freeradius では、EAP-pwd モジュールがグローバルな
OpenSSL BN_CTX インスタンスを使用して全ての
ハンドシェイクを処理している為、複数のスレッドが同一の
BN_CTX インスタンスを同時に使用してしまい、この際に
一斉に EAP-pwd ハンドシェイクが開始されるとクラッシュ
を引き起こし、攻撃者によってサービス拒否攻撃(DoS)に
悪用される脆弱性があります。(CVE-2019-17185)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-10143
** DISPUTED ** It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated "there is simply no way for anyone to gain privileges through this alleged issue."
** DISPUTED ** It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a directory normally inaccessible by the radiusd user. NOTE: the upstream software maintainer has stated "there is simply no way for anyone to gain privileges through this alleged issue."
CVE-2019-13456
In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.
In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.
CVE-2019-17185
In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack.
In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused by an adversary as a Denial-of-Service (DoS) attack.
追加情報:
N/A
ダウンロード:
SRPMS
- freeradius-3.0.13-15.el7.src.rpm
MD5: cc3e46cb7b414a04c1dbf09968f0a265
SHA-256: 2dfa93c0a076aa7b7a731fcbd77683f3b1a59c5aedd912b8c17e4f35b7710aba
Size: 3.01 MB
Asianux Server 7 for x86_64
- freeradius-3.0.13-15.el7.x86_64.rpm
MD5: 1408c6e52556f3ef8f834aa961ffeab1
SHA-256: 1cf36efcdbfaec677deb933afc973a1d5c331079977324ffada3753983971854
Size: 1.07 MB