Bug#687175: freeradius: CVE-2012-3547 stack-based buffer overflow in EAP-TLS handling

Mon, 10 Sep 2012 08:03:21 -0700 

Package: freeradius
Severity: grave
Tags: security

Hi,
the following vulnerability was published for freeradius.

CVE-2012-3547[0]:
| PRE-CERT Security Advisory
| ==========================
| 
| * Advisory: PRE-SA-2012-06
| * Released on: 10 September 2012
| * Affected product: FreeRADIUS 2.1.10 - 2.1.12
| * Impact: remote code execution
| * Origin: specially crafted client certificates
| * CVSS Base Score: 10
|     Impact Subscore: 10
|     Exploitability Subscore: 10
|   CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
| * Credit: Timo Warns (PRESENSE Technologies GmbH)
| * CVE Identifier: CVE-2012-3547
| 
| 
| Summary
| - -------
| 
| A stack overflow vulnerability has been identified in FreeRADIUS that allows 
to
| remotely execute arbitrary code via specially crafted client certificates
| (before authentication). The vulnerability affects setups using TLS-based EAP
| methods (including EAP-TLS, EAP-TTLS, and PEAP).
| 
| FreeRADIUS defines a callback function cbtls_verify() for certificate
| verification. The function has a local buf array with a size of 64
| bytes. It copies the validity timestamp "not after" of a client
| certificate to the buf array:
| 
|     asn_time = X509_get_notAfter(client_cert);
|     if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
|         memcpy(buf, (char*) asn_time->data, asn_time->length);
|         buf[asn_time->length] = '\0';
| 
| The MAX_STRING_LEN constant is defined to be 254. If asn_time->length is
| greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy.
| 
| Depending on the stack layout chosen by the compiler, the vulnerability allows
| to overflow the return address on the stack, which can be exploited for code
| execution.
| 
| 
| Solution
| - --------
| 
| The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as
| soon as possible.
| 
| 
| References
| - ----------
| 
| When further information becomes available, this advisory will be
| updated. The most recent version of this advisory is available at:
| 
| http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547
    http://security-tracker.debian.org/tracker/CVE-2012-3547

Cheers
Nico

Attachment: pgp37aqx17x1b.pgp
Description: PGP signature

Reply via email to