-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2012-06 * Released on: 10 September 2012 * Affected product: FreeRADIUS 2.1.10 - 2.1.12 * Impact: remote code execution * Origin: specially crafted client certificates * CVSS Base Score: 10 Impact Subscore: 10 Exploitability Subscore: 10 CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-3547 Summary - ------- A stack overflow vulnerability has been identified in FreeRADIUS that allows to remotely execute arbitrary code via specially crafted client certificates (before authentication). The vulnerability affects setups using TLS-based EAP methods (including EAP-TLS, EAP-TTLS, and PEAP). FreeRADIUS defines a callback function cbtls_verify() for certificate verification. The function has a local buf array with a size of 64 bytes. It copies the validity timestamp "not after" of a client certificate to the buf array: asn_time = X509_get_notAfter(client_cert); if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) { memcpy(buf, (char*) asn_time->data, asn_time->length); buf[asn_time->length] = '\0'; The MAX_STRING_LEN constant is defined to be 254. If asn_time->length is greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy. Depending on the stack layout chosen by the compiler, the vulnerability allows to overflow the return address on the stack, which can be exploited for code execution. Solution - -------- The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as soon as possible. References - ---------- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt Contact - -------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iQEcBAEBCAAGBQJQTeoEAAoJEI9qFXJ0Ecg6itgH/iIVs5KGxV/DlAe9zUxy+Pz+ U8dofuufwqPhJdCzIIQ/QHohcpHvVzPrfw7BXrAvQtu1D6omPytqVoG9hUvtiTdM dT6W92hu2+d0LOzuhGD+ZrMq4kxAlJoI44ozNC+/oo79buEc6s48x5q7YFh73qas eNVmyUpOwxjRtU/szdq6X47E4IFGQfhyYNR0VyN8Fu/nSKs4UDg5BGNHP/yHrU19 1acLvgXkM4kTiaA6U2CuRt89q1Q2Oj6YEcvTc0obeWar0xleL3UJVomEiLoRku/W pscQK9ROtETXLMKMTCD8ydJHp8wg8/2G2Sg2ybAi1ayS3Pp4cHtBZOqZCi6yy6k= =tTo+ -----END PGP SIGNATURE-----