package: freeradius
tags: security
version: 3.0.17+dfsg-1
severity: important
justification: Inappropriately broad default authorization
The debian freeradius package changes the default eap configuration to
use the default list of Debian certification authorities as the default
CAs for verifying client certificates for incoming EAP connections.
The package leaves the following notice in
/etc/freeradius/3.0/mods-available/eap:
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
And then proceeds to do something even worse: it sets the default CA to
the entire list of Debian trusted CAs.
As discussed by the freeradius docs, you want the default for EAP
certificates to be an organization-specific CA.
--Sam
