Hi,
> =?iso-8859-9?Q?Cihan_DEM=DDR?= <[EMAIL PROTECTED]> wrote:
> > We're using 0.9.3 version on RedHat.
> ...
> > Any comment? Thanks in advance.
>
> Upgrade.
and to back Alan up, you really should upgrade:
# 2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the
EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first
appeared) to 1.1.0. Insufficient input validation was being done in the
EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their
EAP-MSCHAPv2 client state machine to potentially convince the server to bypass
authentication checks. This bypassing could also result in the server crashing.
We recommend that administrators upgrade immediately.
# 2005.09.09 v1.0.3, v1.0.4 - Multiple issues exist with version 1.0.4, and all
prior versions of the server. Externally exploitable vulnerabilities exist only
for sites that use the rlm_sqlcounter module. Those sites may be vulnerable to
SQL injection attacks, similar to the issues noted below. All sites that have
not deployed the rlm_sqlcounter module are not vulnerable to external exploits.
However, we still recommend that all sites upgrade to version 1.0.5.
The issues are:
* SQL Injection attack in the rlm_sqlcounter module.
* Buffer overflow in the rlm_sqlcounter module, that may cause a server
crash.
* Buffer overflow while expanding %t, that may cause a server crash.
These issues were found by Primoz Bratanic. As the rlm_sqlcounter module is
marked "experimental" in the server source, it is not enabled or configured in
most sites. As a result, we believe that the number of vulnerable sites is low.
Additional issues, not externally exploitable, were found by Suse. A full
response to their report is available here. A related post to the vendor-sec
mailing list is found here.
# 2005.05.01 v1.0.1, v1.0.2 - Two vulnerabilities in the SQL module exist in
all versions prior to 1.0.3. Sites not using the SQL module are not affected by
this issue. However, we still recommend that all sites upgrade to version 1.0.3.
The issues are:
* Buffer overflow - A long string could overflow an internal buffer in the
SQL module, and write two bytes of text [0-9a-f] past the end of the buffer.
The server may exit when this happens, resulting in a DoS attack. Depending on
the local configuration of the server, this may occur before a user is
authenticated. This vulnerability is externally exploitable, but can not result
in the execution of arbitrary code.
* SQL injection attacks - The SQL module suffers from SQL injection attacks
in the group_membership_query, simul_count_query, and simul_verify_query
configuration entries. The first query is exploitable if your site is
configured to use the SQL-Group attribute in any module in the authorize
section of radiusd.conf. The last two queries are exploitable only if your site
has user names that contain a single quote character (').
# 2004.09.14 v1.0.0 - Multiple external DoS attacks exist in the server. These
are related to the attacks below, in 0.9.2, but were not caught then. The
vulnerabilities are fixed in 1.0.1, and in all later versions of the server.
The vulnerabilities are not exploitable, but can be used to remotely crash the
server.
# 2003.11.20 v0.9.3 - There is an externally exploitable root compromise in
rlm_smb, through a stack overflow when a password greater than 128 bytes
referenced by the module. The module is not built or installed by default, so
we have not released a 0.9.4. This vulnerability is fixed in the CVS snapshots,
and will be included in any later release of the server.
- PS i know redhat have done backporting of various fixes - but we have no idea
exactly which backports and since
the resulting '0.9.3' code is different to the native 0.9.3 code, any bugs may
well be because of the Redhat changes
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
