freeradius denial of service in authentication flow
aland at freeradius.org
Fri Feb 14 19:53:11 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Pierre Carrier wrote:
> rlm_pap.c, mod_authorize, case PW_SSHA_PASSWORD calls normify(request,
> vp, 20), which for base64-encoded values will invoke
> base64_decode(vp->strvalue, buffer).
> Nothing stops this base64_decode invokation from going over the buffer
> boundary, a uint8_t on the stack.
OK. We've pushed changes to the v2.x.x, v3.0.x, and master branches.
See commit 0d606cfc29a in the v2.x.x branch, and ff5147c9e5088c7 in v3.0.x.
The "master" branch doesn't have an official release, so downstream
users don't need to do anything for it.
> Indeed, it is not a remote DoS, and I agree the practical implications
> aren't too scary.
> But, as a hypothetical, convoluted illustration:
> A disgruntled employee could prevent all access to a company's
> internal network without out-of-band intervention, including from
> remote locations if the Radius infrastructure is centralized.
> Such internal network access could be needed to revoke their credentials.
And would be discovered pretty quickly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-bugbusters